search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bluetooth: Prevent buffer overflow in l2cap config request
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / net / bluetooth / l2cap.c
blob71120ee8511e8e07277220dbae719b54840a4549
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth L2CAP core and sockets. */
26
27 #include <linux/module.h>
28
29 #include <linux/types.h>
30 #include <linux/capability.h>
31 #include <linux/errno.h>
32 #include <linux/kernel.h>
33 #include <linux/sched.h>
34 #include <linux/slab.h>
35 #include <linux/poll.h>
36 #include <linux/fcntl.h>
37 #include <linux/init.h>
38 #include <linux/interrupt.h>
39 #include <linux/socket.h>
40 #include <linux/skbuff.h>
41 #include <linux/list.h>
42 #include <linux/device.h>
43 #include <linux/uaccess.h>
44 #include <linux/crc16.h>
45 #include <net/sock.h>
46
47 #include <asm/system.h>
48 #include <asm/unaligned.h>
49
50 #include <net/bluetooth/bluetooth.h>
51 #include <net/bluetooth/hci_core.h>
52 #include <net/bluetooth/l2cap.h>
53
54 #define VERSION "2.14"
55
56 static int enable_ertm = 0;
57
58 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
59 static u8 l2cap_fixed_chan[8] = { 0x02, };
60
61 static const struct proto_ops l2cap_sock_ops;
62
63 static struct bt_sock_list l2cap_sk_list = {
64 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
65 };
66
67 static void __l2cap_sock_close(struct sock *sk, int reason);
68 static void l2cap_sock_close(struct sock *sk);
69 static void l2cap_sock_kill(struct sock *sk);
70
71 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
72 u8 code, u8 ident, u16 dlen, void *data);
73
74 /* ---- L2CAP timers ---- */
75 static void l2cap_sock_timeout(unsigned long arg)
76 {
77 struct sock *sk = (struct sock *) arg;
78 int reason;
79
80 BT_DBG("sock %p state %d", sk, sk->sk_state);
81
82 bh_lock_sock(sk);
83
84 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
85 reason = ECONNREFUSED;
86 else if (sk->sk_state == BT_CONNECT &&
87 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
88 reason = ECONNREFUSED;
89 else
90 reason = ETIMEDOUT;
91
92 __l2cap_sock_close(sk, reason);
93
94 bh_unlock_sock(sk);
95
96 l2cap_sock_kill(sk);
97 sock_put(sk);
98 }
99
100 static void l2cap_sock_set_timer(struct sock *sk, long timeout)
101 {
102 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
103 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
104 }
105
106 static void l2cap_sock_clear_timer(struct sock *sk)
107 {
108 BT_DBG("sock %p state %d", sk, sk->sk_state);
109 sk_stop_timer(sk, &sk->sk_timer);
110 }
111
112 /* ---- L2CAP channels ---- */
113 static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
114 {
115 struct sock *s;
116 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
117 if (l2cap_pi(s)->dcid == cid)
118 break;
119 }
120 return s;
121 }
122
123 static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
124 {
125 struct sock *s;
126 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
127 if (l2cap_pi(s)->scid == cid)
128 break;
129 }
130 return s;
131 }
132
133 /* Find channel with given SCID.
134 * Returns locked socket */
135 static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
136 {
137 struct sock *s;
138 read_lock(&l->lock);
139 s = __l2cap_get_chan_by_scid(l, cid);
140 if (s)
141 bh_lock_sock(s);
142 read_unlock(&l->lock);
143 return s;
144 }
145
146 static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
147 {
148 struct sock *s;
149 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
150 if (l2cap_pi(s)->ident == ident)
151 break;
152 }
153 return s;
154 }
155
156 static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
157 {
158 struct sock *s;
159 read_lock(&l->lock);
160 s = __l2cap_get_chan_by_ident(l, ident);
161 if (s)
162 bh_lock_sock(s);
163 read_unlock(&l->lock);
164 return s;
165 }
166
167 static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
168 {
169 u16 cid = L2CAP_CID_DYN_START;
170
171 for (; cid < L2CAP_CID_DYN_END; cid++) {
172 if (!__l2cap_get_chan_by_scid(l, cid))
173 return cid;
174 }
175
176 return 0;
177 }
178
179 static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
180 {
181 sock_hold(sk);
182
183 if (l->head)
184 l2cap_pi(l->head)->prev_c = sk;
185
186 l2cap_pi(sk)->next_c = l->head;
187 l2cap_pi(sk)->prev_c = NULL;
188 l->head = sk;
189 }
190
191 static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
192 {
193 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
194
195 write_lock_bh(&l->lock);
196 if (sk == l->head)
197 l->head = next;
198
199 if (next)
200 l2cap_pi(next)->prev_c = prev;
201 if (prev)
202 l2cap_pi(prev)->next_c = next;
203 write_unlock_bh(&l->lock);
204
205 __sock_put(sk);
206 }
207
208 static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
209 {
210 struct l2cap_chan_list *l = &conn->chan_list;
211
212 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
213 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
214
215 conn->disc_reason = 0x13;
216
217 l2cap_pi(sk)->conn = conn;
218
219 if (sk->sk_type == SOCK_SEQPACKET) {
220 /* Alloc CID for connection-oriented socket */
221 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
222 } else if (sk->sk_type == SOCK_DGRAM) {
223 /* Connectionless socket */
224 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
225 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
226 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
227 } else {
228 /* Raw socket can send/recv signalling messages only */
229 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
230 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
231 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
232 }
233
234 __l2cap_chan_link(l, sk);
235
236 if (parent)
237 bt_accept_enqueue(parent, sk);
238 }
239
240 /* Delete channel.
241 * Must be called on the locked socket. */
242 static void l2cap_chan_del(struct sock *sk, int err)
243 {
244 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
245 struct sock *parent = bt_sk(sk)->parent;
246
247 l2cap_sock_clear_timer(sk);
248
249 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
250
251 if (conn) {
252 /* Unlink from channel list */
253 l2cap_chan_unlink(&conn->chan_list, sk);
254 l2cap_pi(sk)->conn = NULL;
255 hci_conn_put(conn->hcon);
256 }
257
258 sk->sk_state = BT_CLOSED;
259 sock_set_flag(sk, SOCK_ZAPPED);
260
261 if (err)
262 sk->sk_err = err;
263
264 if (parent) {
265 bt_accept_unlink(sk);
266 parent->sk_data_ready(parent, 0);
267 } else
268 sk->sk_state_change(sk);
269 }
270
271 /* Service level security */
272 static inline int l2cap_check_security(struct sock *sk)
273 {
274 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
275 __u8 auth_type;
276
277 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
278 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
279 auth_type = HCI_AT_NO_BONDING_MITM;
280 else
281 auth_type = HCI_AT_NO_BONDING;
282
283 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
284 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
285 } else {
286 switch (l2cap_pi(sk)->sec_level) {
287 case BT_SECURITY_HIGH:
288 auth_type = HCI_AT_GENERAL_BONDING_MITM;
289 break;
290 case BT_SECURITY_MEDIUM:
291 auth_type = HCI_AT_GENERAL_BONDING;
292 break;
293 default:
294 auth_type = HCI_AT_NO_BONDING;
295 break;
296 }
297 }
298
299 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
300 auth_type);
301 }
302
303 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
304 {
305 u8 id;
306
307 /* Get next available identificator.
308 * 1 - 128 are used by kernel.
309 * 129 - 199 are reserved.
310 * 200 - 254 are used by utilities like l2ping, etc.
311 */
312
313 spin_lock_bh(&conn->lock);
314
315 if (++conn->tx_ident > 128)
316 conn->tx_ident = 1;
317
318 id = conn->tx_ident;
319
320 spin_unlock_bh(&conn->lock);
321
322 return id;
323 }
324
325 static inline int l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
326 {
327 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
328
329 BT_DBG("code 0x%2.2x", code);
330
331 if (!skb)
332 return -ENOMEM;
333
334 return hci_send_acl(conn->hcon, skb, 0);
335 }
336
337 static inline int l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
338 {
339 struct sk_buff *skb;
340 struct l2cap_hdr *lh;
341 struct l2cap_conn *conn = pi->conn;
342 int count, hlen = L2CAP_HDR_SIZE + 2;
343
344 if (pi->fcs == L2CAP_FCS_CRC16)
345 hlen += 2;
346
347 BT_DBG("pi %p, control 0x%2.2x", pi, control);
348
349 count = min_t(unsigned int, conn->mtu, hlen);
350 control |= L2CAP_CTRL_FRAME_TYPE;
351
352 skb = bt_skb_alloc(count, GFP_ATOMIC);
353 if (!skb)
354 return -ENOMEM;
355
356 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
357 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
358 lh->cid = cpu_to_le16(pi->dcid);
359 put_unaligned_le16(control, skb_put(skb, 2));
360
361 if (pi->fcs == L2CAP_FCS_CRC16) {
362 u16 fcs = crc16(0, (u8 *)lh, count - 2);
363 put_unaligned_le16(fcs, skb_put(skb, 2));
364 }
365
366 return hci_send_acl(pi->conn->hcon, skb, 0);
367 }
368
369 static inline int l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
370 {
371 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY)
372 control |= L2CAP_SUPER_RCV_NOT_READY;
373 else
374 control |= L2CAP_SUPER_RCV_READY;
375
376 return l2cap_send_sframe(pi, control);
377 }
378
379 static void l2cap_do_start(struct sock *sk)
380 {
381 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
382
383 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
384 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
385 return;
386
387 if (l2cap_check_security(sk)) {
388 struct l2cap_conn_req req;
389 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
390 req.psm = l2cap_pi(sk)->psm;
391
392 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
393
394 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
395 L2CAP_CONN_REQ, sizeof(req), &req);
396 }
397 } else {
398 struct l2cap_info_req req;
399 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
400
401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
402 conn->info_ident = l2cap_get_ident(conn);
403
404 mod_timer(&conn->info_timer, jiffies +
405 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
406
407 l2cap_send_cmd(conn, conn->info_ident,
408 L2CAP_INFO_REQ, sizeof(req), &req);
409 }
410 }
411
412 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk)
413 {
414 struct l2cap_disconn_req req;
415
416 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
417 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
418 l2cap_send_cmd(conn, l2cap_get_ident(conn),
419 L2CAP_DISCONN_REQ, sizeof(req), &req);
420 }
421
422 /* ---- L2CAP connections ---- */
423 static void l2cap_conn_start(struct l2cap_conn *conn)
424 {
425 struct l2cap_chan_list *l = &conn->chan_list;
426 struct sock *sk;
427
428 BT_DBG("conn %p", conn);
429
430 read_lock(&l->lock);
431
432 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
433 bh_lock_sock(sk);
434
435 if (sk->sk_type != SOCK_SEQPACKET) {
436 bh_unlock_sock(sk);
437 continue;
438 }
439
440 if (sk->sk_state == BT_CONNECT) {
441 if (l2cap_check_security(sk)) {
442 struct l2cap_conn_req req;
443 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
444 req.psm = l2cap_pi(sk)->psm;
445
446 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
447
448 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
449 L2CAP_CONN_REQ, sizeof(req), &req);
450 }
451 } else if (sk->sk_state == BT_CONNECT2) {
452 struct l2cap_conn_rsp rsp;
453 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
454 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
455
456 if (l2cap_check_security(sk)) {
457 if (bt_sk(sk)->defer_setup) {
458 struct sock *parent = bt_sk(sk)->parent;
459 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
460 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
461 parent->sk_data_ready(parent, 0);
462
463 } else {
464 sk->sk_state = BT_CONFIG;
465 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
466 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
467 }
468 } else {
469 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
470 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
471 }
472
473 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
474 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
475 }
476
477 bh_unlock_sock(sk);
478 }
479
480 read_unlock(&l->lock);
481 }
482
483 static void l2cap_conn_ready(struct l2cap_conn *conn)
484 {
485 struct l2cap_chan_list *l = &conn->chan_list;
486 struct sock *sk;
487
488 BT_DBG("conn %p", conn);
489
490 read_lock(&l->lock);
491
492 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
493 bh_lock_sock(sk);
494
495 if (sk->sk_type != SOCK_SEQPACKET) {
496 l2cap_sock_clear_timer(sk);
497 sk->sk_state = BT_CONNECTED;
498 sk->sk_state_change(sk);
499 } else if (sk->sk_state == BT_CONNECT)
500 l2cap_do_start(sk);
501
502 bh_unlock_sock(sk);
503 }
504
505 read_unlock(&l->lock);
506 }
507
508 /* Notify sockets that we cannot guaranty reliability anymore */
509 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
510 {
511 struct l2cap_chan_list *l = &conn->chan_list;
512 struct sock *sk;
513
514 BT_DBG("conn %p", conn);
515
516 read_lock(&l->lock);
517
518 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
519 if (l2cap_pi(sk)->force_reliable)
520 sk->sk_err = err;
521 }
522
523 read_unlock(&l->lock);
524 }
525
526 static void l2cap_info_timeout(unsigned long arg)
527 {
528 struct l2cap_conn *conn = (void *) arg;
529
530 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
531 conn->info_ident = 0;
532
533 l2cap_conn_start(conn);
534 }
535
536 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
537 {
538 struct l2cap_conn *conn = hcon->l2cap_data;
539
540 if (conn || status)
541 return conn;
542
543 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
544 if (!conn)
545 return NULL;
546
547 hcon->l2cap_data = conn;
548 conn->hcon = hcon;
549
550 BT_DBG("hcon %p conn %p", hcon, conn);
551
552 conn->mtu = hcon->hdev->acl_mtu;
553 conn->src = &hcon->hdev->bdaddr;
554 conn->dst = &hcon->dst;
555
556 conn->feat_mask = 0;
557
558 spin_lock_init(&conn->lock);
559 rwlock_init(&conn->chan_list.lock);
560
561 setup_timer(&conn->info_timer, l2cap_info_timeout,
562 (unsigned long) conn);
563
564 conn->disc_reason = 0x13;
565
566 return conn;
567 }
568
569 static void l2cap_conn_del(struct hci_conn *hcon, int err)
570 {
571 struct l2cap_conn *conn = hcon->l2cap_data;
572 struct sock *sk;
573
574 if (!conn)
575 return;
576
577 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
578
579 kfree_skb(conn->rx_skb);
580
581 /* Kill channels */
582 while ((sk = conn->chan_list.head)) {
583 bh_lock_sock(sk);
584 l2cap_chan_del(sk, err);
585 bh_unlock_sock(sk);
586 l2cap_sock_kill(sk);
587 }
588
589 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
590 del_timer_sync(&conn->info_timer);
591
592 hcon->l2cap_data = NULL;
593 kfree(conn);
594 }
595
596 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
597 {
598 struct l2cap_chan_list *l = &conn->chan_list;
599 write_lock_bh(&l->lock);
600 __l2cap_chan_add(conn, sk, parent);
601 write_unlock_bh(&l->lock);
602 }
603
604 /* ---- Socket interface ---- */
605 static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
606 {
607 struct sock *sk;
608 struct hlist_node *node;
609 sk_for_each(sk, node, &l2cap_sk_list.head)
610 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
611 goto found;
612 sk = NULL;
613 found:
614 return sk;
615 }
616
617 /* Find socket with psm and source bdaddr.
618 * Returns closest match.
619 */
620 static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
621 {
622 struct sock *sk = NULL, *sk1 = NULL;
623 struct hlist_node *node;
624
625 sk_for_each(sk, node, &l2cap_sk_list.head) {
626 if (state && sk->sk_state != state)
627 continue;
628
629 if (l2cap_pi(sk)->psm == psm) {
630 /* Exact match. */
631 if (!bacmp(&bt_sk(sk)->src, src))
632 break;
633
634 /* Closest match */
635 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
636 sk1 = sk;
637 }
638 }
639 return node ? sk : sk1;
640 }
641
642 /* Find socket with given address (psm, src).
643 * Returns locked socket */
644 static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
645 {
646 struct sock *s;
647 read_lock(&l2cap_sk_list.lock);
648 s = __l2cap_get_sock_by_psm(state, psm, src);
649 if (s)
650 bh_lock_sock(s);
651 read_unlock(&l2cap_sk_list.lock);
652 return s;
653 }
654
655 static void l2cap_sock_destruct(struct sock *sk)
656 {
657 BT_DBG("sk %p", sk);
658
659 skb_queue_purge(&sk->sk_receive_queue);
660 skb_queue_purge(&sk->sk_write_queue);
661 }
662
663 static void l2cap_sock_cleanup_listen(struct sock *parent)
664 {
665 struct sock *sk;
666
667 BT_DBG("parent %p", parent);
668
669 /* Close not yet accepted channels */
670 while ((sk = bt_accept_dequeue(parent, NULL)))
671 l2cap_sock_close(sk);
672
673 parent->sk_state = BT_CLOSED;
674 sock_set_flag(parent, SOCK_ZAPPED);
675 }
676
677 /* Kill socket (only if zapped and orphan)
678 * Must be called on unlocked socket.
679 */
680 static void l2cap_sock_kill(struct sock *sk)
681 {
682 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
683 return;
684
685 BT_DBG("sk %p state %d", sk, sk->sk_state);
686
687 /* Kill poor orphan */
688 bt_sock_unlink(&l2cap_sk_list, sk);
689 sock_set_flag(sk, SOCK_DEAD);
690 sock_put(sk);
691 }
692
693 static void __l2cap_sock_close(struct sock *sk, int reason)
694 {
695 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
696
697 switch (sk->sk_state) {
698 case BT_LISTEN:
699 l2cap_sock_cleanup_listen(sk);
700 break;
701
702 case BT_CONNECTED:
703 case BT_CONFIG:
704 if (sk->sk_type == SOCK_SEQPACKET) {
705 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
706
707 sk->sk_state = BT_DISCONN;
708 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
709 l2cap_send_disconn_req(conn, sk);
710 } else
711 l2cap_chan_del(sk, reason);
712 break;
713
714 case BT_CONNECT2:
715 if (sk->sk_type == SOCK_SEQPACKET) {
716 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
717 struct l2cap_conn_rsp rsp;
718 __u16 result;
719
720 if (bt_sk(sk)->defer_setup)
721 result = L2CAP_CR_SEC_BLOCK;
722 else
723 result = L2CAP_CR_BAD_PSM;
724
725 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
726 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
727 rsp.result = cpu_to_le16(result);
728 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
729 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
730 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
731 } else
732 l2cap_chan_del(sk, reason);
733 break;
734
735 case BT_CONNECT:
736 case BT_DISCONN:
737 l2cap_chan_del(sk, reason);
738 break;
739
740 default:
741 sock_set_flag(sk, SOCK_ZAPPED);
742 break;
743 }
744 }
745
746 /* Must be called on unlocked socket. */
747 static void l2cap_sock_close(struct sock *sk)
748 {
749 l2cap_sock_clear_timer(sk);
750 lock_sock(sk);
751 __l2cap_sock_close(sk, ECONNRESET);
752 release_sock(sk);
753 l2cap_sock_kill(sk);
754 }
755
756 static void l2cap_sock_init(struct sock *sk, struct sock *parent)
757 {
758 struct l2cap_pinfo *pi = l2cap_pi(sk);
759
760 BT_DBG("sk %p", sk);
761
762 if (parent) {
763 sk->sk_type = parent->sk_type;
764 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
765
766 pi->imtu = l2cap_pi(parent)->imtu;
767 pi->omtu = l2cap_pi(parent)->omtu;
768 pi->mode = l2cap_pi(parent)->mode;
769 pi->fcs = l2cap_pi(parent)->fcs;
770 pi->sec_level = l2cap_pi(parent)->sec_level;
771 pi->role_switch = l2cap_pi(parent)->role_switch;
772 pi->force_reliable = l2cap_pi(parent)->force_reliable;
773 } else {
774 pi->imtu = L2CAP_DEFAULT_MTU;
775 pi->omtu = 0;
776 pi->mode = L2CAP_MODE_BASIC;
777 pi->fcs = L2CAP_FCS_CRC16;
778 pi->sec_level = BT_SECURITY_LOW;
779 pi->role_switch = 0;
780 pi->force_reliable = 0;
781 }
782
783 /* Default config options */
784 pi->conf_len = 0;
785 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
786 skb_queue_head_init(TX_QUEUE(sk));
787 skb_queue_head_init(SREJ_QUEUE(sk));
788 INIT_LIST_HEAD(SREJ_LIST(sk));
789 }
790
791 static struct proto l2cap_proto = {
792 .name = "L2CAP",
793 .owner = THIS_MODULE,
794 .obj_size = sizeof(struct l2cap_pinfo)
795 };
796
797 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
798 {
799 struct sock *sk;
800
801 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
802 if (!sk)
803 return NULL;
804
805 sock_init_data(sock, sk);
806 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
807
808 sk->sk_destruct = l2cap_sock_destruct;
809 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
810
811 sock_reset_flag(sk, SOCK_ZAPPED);
812
813 sk->sk_protocol = proto;
814 sk->sk_state = BT_OPEN;
815
816 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
817
818 bt_sock_link(&l2cap_sk_list, sk);
819 return sk;
820 }
821
822 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol)
823 {
824 struct sock *sk;
825
826 BT_DBG("sock %p", sock);
827
828 sock->state = SS_UNCONNECTED;
829
830 if (sock->type != SOCK_SEQPACKET &&
831 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
832 return -ESOCKTNOSUPPORT;
833
834 if (sock->type == SOCK_RAW && !capable(CAP_NET_RAW))
835 return -EPERM;
836
837 sock->ops = &l2cap_sock_ops;
838
839 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
840 if (!sk)
841 return -ENOMEM;
842
843 l2cap_sock_init(sk, NULL);
844 return 0;
845 }
846
847 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
848 {
849 struct sock *sk = sock->sk;
850 struct sockaddr_l2 la;
851 int len, err = 0;
852
853 BT_DBG("sk %p", sk);
854
855 if (!addr || addr->sa_family != AF_BLUETOOTH)
856 return -EINVAL;
857
858 memset(&la, 0, sizeof(la));
859 len = min_t(unsigned int, sizeof(la), alen);
860 memcpy(&la, addr, len);
861
862 if (la.l2_cid)
863 return -EINVAL;
864
865 lock_sock(sk);
866
867 if (sk->sk_state != BT_OPEN) {
868 err = -EBADFD;
869 goto done;
870 }
871
872 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
873 !capable(CAP_NET_BIND_SERVICE)) {
874 err = -EACCES;
875 goto done;
876 }
877
878 write_lock_bh(&l2cap_sk_list.lock);
879
880 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
881 err = -EADDRINUSE;
882 } else {
883 /* Save source address */
884 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
885 l2cap_pi(sk)->psm = la.l2_psm;
886 l2cap_pi(sk)->sport = la.l2_psm;
887 sk->sk_state = BT_BOUND;
888
889 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
890 __le16_to_cpu(la.l2_psm) == 0x0003)
891 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
892 }
893
894 write_unlock_bh(&l2cap_sk_list.lock);
895
896 done:
897 release_sock(sk);
898 return err;
899 }
900
901 static int l2cap_do_connect(struct sock *sk)
902 {
903 bdaddr_t *src = &bt_sk(sk)->src;
904 bdaddr_t *dst = &bt_sk(sk)->dst;
905 struct l2cap_conn *conn;
906 struct hci_conn *hcon;
907 struct hci_dev *hdev;
908 __u8 auth_type;
909 int err;
910
911 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
912 l2cap_pi(sk)->psm);
913
914 hdev = hci_get_route(dst, src);
915 if (!hdev)
916 return -EHOSTUNREACH;
917
918 hci_dev_lock_bh(hdev);
919
920 err = -ENOMEM;
921
922 if (sk->sk_type == SOCK_RAW) {
923 switch (l2cap_pi(sk)->sec_level) {
924 case BT_SECURITY_HIGH:
925 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
926 break;
927 case BT_SECURITY_MEDIUM:
928 auth_type = HCI_AT_DEDICATED_BONDING;
929 break;
930 default:
931 auth_type = HCI_AT_NO_BONDING;
932 break;
933 }
934 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
935 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
936 auth_type = HCI_AT_NO_BONDING_MITM;
937 else
938 auth_type = HCI_AT_NO_BONDING;
939
940 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
941 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
942 } else {
943 switch (l2cap_pi(sk)->sec_level) {
944 case BT_SECURITY_HIGH:
945 auth_type = HCI_AT_GENERAL_BONDING_MITM;
946 break;
947 case BT_SECURITY_MEDIUM:
948 auth_type = HCI_AT_GENERAL_BONDING;
949 break;
950 default:
951 auth_type = HCI_AT_NO_BONDING;
952 break;
953 }
954 }
955
956 hcon = hci_connect(hdev, ACL_LINK, dst,
957 l2cap_pi(sk)->sec_level, auth_type);
958 if (!hcon)
959 goto done;
960
961 conn = l2cap_conn_add(hcon, 0);
962 if (!conn) {
963 hci_conn_put(hcon);
964 goto done;
965 }
966
967 err = 0;
968
969 /* Update source addr of the socket */
970 bacpy(src, conn->src);
971
972 l2cap_chan_add(conn, sk, NULL);
973
974 sk->sk_state = BT_CONNECT;
975 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
976
977 if (hcon->state == BT_CONNECTED) {
978 if (sk->sk_type != SOCK_SEQPACKET) {
979 l2cap_sock_clear_timer(sk);
980 sk->sk_state = BT_CONNECTED;
981 } else
982 l2cap_do_start(sk);
983 }
984
985 done:
986 hci_dev_unlock_bh(hdev);
987 hci_dev_put(hdev);
988 return err;
989 }
990
991 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
992 {
993 struct sock *sk = sock->sk;
994 struct sockaddr_l2 la;
995 int len, err = 0;
996
997 BT_DBG("sk %p", sk);
998
999 if (!addr || addr->sa_family != AF_BLUETOOTH)
1000 return -EINVAL;
1001
1002 memset(&la, 0, sizeof(la));
1003 len = min_t(unsigned int, sizeof(la), alen);
1004 memcpy(&la, addr, len);
1005
1006 if (la.l2_cid)
1007 return -EINVAL;
1008
1009 lock_sock(sk);
1010
1011 if (sk->sk_type == SOCK_SEQPACKET && !la.l2_psm) {
1012 err = -EINVAL;
1013 goto done;
1014 }
1015
1016 switch (l2cap_pi(sk)->mode) {
1017 case L2CAP_MODE_BASIC:
1018 break;
1019 case L2CAP_MODE_ERTM:
1020 case L2CAP_MODE_STREAMING:
1021 if (enable_ertm)
1022 break;
1023 /* fall through */
1024 default:
1025 err = -ENOTSUPP;
1026 goto done;
1027 }
1028
1029 switch (sk->sk_state) {
1030 case BT_CONNECT:
1031 case BT_CONNECT2:
1032 case BT_CONFIG:
1033 /* Already connecting */
1034 goto wait;
1035
1036 case BT_CONNECTED:
1037 /* Already connected */
1038 goto done;
1039
1040 case BT_OPEN:
1041 case BT_BOUND:
1042 /* Can connect */
1043 break;
1044
1045 default:
1046 err = -EBADFD;
1047 goto done;
1048 }
1049
1050 /* Set destination address and psm */
1051 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1052 l2cap_pi(sk)->psm = la.l2_psm;
1053
1054 err = l2cap_do_connect(sk);
1055 if (err)
1056 goto done;
1057
1058 wait:
1059 err = bt_sock_wait_state(sk, BT_CONNECTED,
1060 sock_sndtimeo(sk, flags & O_NONBLOCK));
1061 done:
1062 release_sock(sk);
1063 return err;
1064 }
1065
1066 static int l2cap_sock_listen(struct socket *sock, int backlog)
1067 {
1068 struct sock *sk = sock->sk;
1069 int err = 0;
1070
1071 BT_DBG("sk %p backlog %d", sk, backlog);
1072
1073 lock_sock(sk);
1074
1075 if (sk->sk_state != BT_BOUND || sock->type != SOCK_SEQPACKET) {
1076 err = -EBADFD;
1077 goto done;
1078 }
1079
1080 switch (l2cap_pi(sk)->mode) {
1081 case L2CAP_MODE_BASIC:
1082 break;
1083 case L2CAP_MODE_ERTM:
1084 case L2CAP_MODE_STREAMING:
1085 if (enable_ertm)
1086 break;
1087 /* fall through */
1088 default:
1089 err = -ENOTSUPP;
1090 goto done;
1091 }
1092
1093 if (!l2cap_pi(sk)->psm) {
1094 bdaddr_t *src = &bt_sk(sk)->src;
1095 u16 psm;
1096
1097 err = -EINVAL;
1098
1099 write_lock_bh(&l2cap_sk_list.lock);
1100
1101 for (psm = 0x1001; psm < 0x1100; psm += 2)
1102 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1103 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1104 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1105 err = 0;
1106 break;
1107 }
1108
1109 write_unlock_bh(&l2cap_sk_list.lock);
1110
1111 if (err < 0)
1112 goto done;
1113 }
1114
1115 sk->sk_max_ack_backlog = backlog;
1116 sk->sk_ack_backlog = 0;
1117 sk->sk_state = BT_LISTEN;
1118
1119 done:
1120 release_sock(sk);
1121 return err;
1122 }
1123
1124 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1125 {
1126 DECLARE_WAITQUEUE(wait, current);
1127 struct sock *sk = sock->sk, *nsk;
1128 long timeo;
1129 int err = 0;
1130
1131 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1132
1133 if (sk->sk_state != BT_LISTEN) {
1134 err = -EBADFD;
1135 goto done;
1136 }
1137
1138 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1139
1140 BT_DBG("sk %p timeo %ld", sk, timeo);
1141
1142 /* Wait for an incoming connection. (wake-one). */
1143 add_wait_queue_exclusive(sk->sk_sleep, &wait);
1144 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1145 set_current_state(TASK_INTERRUPTIBLE);
1146 if (!timeo) {
1147 err = -EAGAIN;
1148 break;
1149 }
1150
1151 release_sock(sk);
1152 timeo = schedule_timeout(timeo);
1153 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1154
1155 if (sk->sk_state != BT_LISTEN) {
1156 err = -EBADFD;
1157 break;
1158 }
1159
1160 if (signal_pending(current)) {
1161 err = sock_intr_errno(timeo);
1162 break;
1163 }
1164 }
1165 set_current_state(TASK_RUNNING);
1166 remove_wait_queue(sk->sk_sleep, &wait);
1167
1168 if (err)
1169 goto done;
1170
1171 newsock->state = SS_CONNECTED;
1172
1173 BT_DBG("new socket %p", nsk);
1174
1175 done:
1176 release_sock(sk);
1177 return err;
1178 }
1179
1180 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1181 {
1182 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1183 struct sock *sk = sock->sk;
1184
1185 BT_DBG("sock %p, sk %p", sock, sk);
1186
1187 addr->sa_family = AF_BLUETOOTH;
1188 *len = sizeof(struct sockaddr_l2);
1189
1190 if (peer) {
1191 la->l2_psm = l2cap_pi(sk)->psm;
1192 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
1193 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1194 } else {
1195 la->l2_psm = l2cap_pi(sk)->sport;
1196 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
1197 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
1198 }
1199
1200 return 0;
1201 }
1202
1203 static void l2cap_monitor_timeout(unsigned long arg)
1204 {
1205 struct sock *sk = (void *) arg;
1206 u16 control;
1207
1208 bh_lock_sock(sk);
1209 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
1210 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
1211 return;
1212 }
1213
1214 l2cap_pi(sk)->retry_count++;
1215 __mod_monitor_timer();
1216
1217 control = L2CAP_CTRL_POLL;
1218 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1219 bh_unlock_sock(sk);
1220 }
1221
1222 static void l2cap_retrans_timeout(unsigned long arg)
1223 {
1224 struct sock *sk = (void *) arg;
1225 u16 control;
1226
1227 bh_lock_sock(sk);
1228 l2cap_pi(sk)->retry_count = 1;
1229 __mod_monitor_timer();
1230
1231 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1232
1233 control = L2CAP_CTRL_POLL;
1234 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
1235 bh_unlock_sock(sk);
1236 }
1237
1238 static void l2cap_drop_acked_frames(struct sock *sk)
1239 {
1240 struct sk_buff *skb;
1241
1242 while ((skb = skb_peek(TX_QUEUE(sk)))) {
1243 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1244 break;
1245
1246 skb = skb_dequeue(TX_QUEUE(sk));
1247 kfree_skb(skb);
1248
1249 l2cap_pi(sk)->unacked_frames--;
1250 }
1251
1252 if (!l2cap_pi(sk)->unacked_frames)
1253 del_timer(&l2cap_pi(sk)->retrans_timer);
1254
1255 return;
1256 }
1257
1258 static inline int l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1259 {
1260 struct l2cap_pinfo *pi = l2cap_pi(sk);
1261 int err;
1262
1263 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1264
1265 err = hci_send_acl(pi->conn->hcon, skb, 0);
1266 if (err < 0)
1267 kfree_skb(skb);
1268
1269 return err;
1270 }
1271
1272 static int l2cap_streaming_send(struct sock *sk)
1273 {
1274 struct sk_buff *skb, *tx_skb;
1275 struct l2cap_pinfo *pi = l2cap_pi(sk);
1276 u16 control, fcs;
1277 int err;
1278
1279 while ((skb = sk->sk_send_head)) {
1280 tx_skb = skb_clone(skb, GFP_ATOMIC);
1281
1282 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1283 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1284 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1285
1286 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1287 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1288 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1289 }
1290
1291 err = l2cap_do_send(sk, tx_skb);
1292 if (err < 0) {
1293 l2cap_send_disconn_req(pi->conn, sk);
1294 return err;
1295 }
1296
1297 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1298
1299 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1300 sk->sk_send_head = NULL;
1301 else
1302 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1303
1304 skb = skb_dequeue(TX_QUEUE(sk));
1305 kfree_skb(skb);
1306 }
1307 return 0;
1308 }
1309
1310 static int l2cap_retransmit_frame(struct sock *sk, u8 tx_seq)
1311 {
1312 struct l2cap_pinfo *pi = l2cap_pi(sk);
1313 struct sk_buff *skb, *tx_skb;
1314 u16 control, fcs;
1315 int err;
1316
1317 skb = skb_peek(TX_QUEUE(sk));
1318 do {
1319 if (bt_cb(skb)->tx_seq != tx_seq) {
1320 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1321 break;
1322 skb = skb_queue_next(TX_QUEUE(sk), skb);
1323 continue;
1324 }
1325
1326 if (pi->remote_max_tx &&
1327 bt_cb(skb)->retries == pi->remote_max_tx) {
1328 l2cap_send_disconn_req(pi->conn, sk);
1329 break;
1330 }
1331
1332 tx_skb = skb_clone(skb, GFP_ATOMIC);
1333 bt_cb(skb)->retries++;
1334 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1335 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1336 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1337 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1338
1339 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1340 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1341 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1342 }
1343
1344 err = l2cap_do_send(sk, tx_skb);
1345 if (err < 0) {
1346 l2cap_send_disconn_req(pi->conn, sk);
1347 return err;
1348 }
1349 break;
1350 } while(1);
1351 return 0;
1352 }
1353
1354 static int l2cap_ertm_send(struct sock *sk)
1355 {
1356 struct sk_buff *skb, *tx_skb;
1357 struct l2cap_pinfo *pi = l2cap_pi(sk);
1358 u16 control, fcs;
1359 int err;
1360
1361 if (pi->conn_state & L2CAP_CONN_WAIT_F)
1362 return 0;
1363
1364 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))
1365 && !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1366 tx_skb = skb_clone(skb, GFP_ATOMIC);
1367
1368 if (pi->remote_max_tx &&
1369 bt_cb(skb)->retries == pi->remote_max_tx) {
1370 l2cap_send_disconn_req(pi->conn, sk);
1371 break;
1372 }
1373
1374 bt_cb(skb)->retries++;
1375
1376 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1377 control |= (pi->req_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1378 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1379 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1380
1381
1382 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16) {
1383 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1384 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1385 }
1386
1387 err = l2cap_do_send(sk, tx_skb);
1388 if (err < 0) {
1389 l2cap_send_disconn_req(pi->conn, sk);
1390 return err;
1391 }
1392 __mod_retrans_timer();
1393
1394 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1395 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1396
1397 pi->unacked_frames++;
1398
1399 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1400 sk->sk_send_head = NULL;
1401 else
1402 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1403 }
1404
1405 return 0;
1406 }
1407
1408 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1409 {
1410 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1411 struct sk_buff **frag;
1412 int err, sent = 0;
1413
1414 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) {
1415 return -EFAULT;
1416 }
1417
1418 sent += count;
1419 len -= count;
1420
1421 /* Continuation fragments (no L2CAP header) */
1422 frag = &skb_shinfo(skb)->frag_list;
1423 while (len) {
1424 count = min_t(unsigned int, conn->mtu, len);
1425
1426 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1427 if (!*frag)
1428 return -EFAULT;
1429 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1430 return -EFAULT;
1431
1432 sent += count;
1433 len -= count;
1434
1435 frag = &(*frag)->next;
1436 }
1437
1438 return sent;
1439 }
1440
1441 static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1442 {
1443 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1444 struct sk_buff *skb;
1445 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1446 struct l2cap_hdr *lh;
1447
1448 BT_DBG("sk %p len %d", sk, (int)len);
1449
1450 count = min_t(unsigned int, (conn->mtu - hlen), len);
1451 skb = bt_skb_send_alloc(sk, count + hlen,
1452 msg->msg_flags & MSG_DONTWAIT, &err);
1453 if (!skb)
1454 return ERR_PTR(-ENOMEM);
1455
1456 /* Create L2CAP header */
1457 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1458 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1459 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1460 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1461
1462 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1463 if (unlikely(err < 0)) {
1464 kfree_skb(skb);
1465 return ERR_PTR(err);
1466 }
1467 return skb;
1468 }
1469
1470 static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1471 {
1472 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1473 struct sk_buff *skb;
1474 int err, count, hlen = L2CAP_HDR_SIZE;
1475 struct l2cap_hdr *lh;
1476
1477 BT_DBG("sk %p len %d", sk, (int)len);
1478
1479 count = min_t(unsigned int, (conn->mtu - hlen), len);
1480 skb = bt_skb_send_alloc(sk, count + hlen,
1481 msg->msg_flags & MSG_DONTWAIT, &err);
1482 if (!skb)
1483 return ERR_PTR(-ENOMEM);
1484
1485 /* Create L2CAP header */
1486 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1487 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1488 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1489
1490 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1491 if (unlikely(err < 0)) {
1492 kfree_skb(skb);
1493 return ERR_PTR(err);
1494 }
1495 return skb;
1496 }
1497
1498 static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1499 {
1500 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1501 struct sk_buff *skb;
1502 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1503 struct l2cap_hdr *lh;
1504
1505 BT_DBG("sk %p len %d", sk, (int)len);
1506
1507 if (sdulen)
1508 hlen += 2;
1509
1510 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1511 hlen += 2;
1512
1513 count = min_t(unsigned int, (conn->mtu - hlen), len);
1514 skb = bt_skb_send_alloc(sk, count + hlen,
1515 msg->msg_flags & MSG_DONTWAIT, &err);
1516 if (!skb)
1517 return ERR_PTR(-ENOMEM);
1518
1519 /* Create L2CAP header */
1520 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1521 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1522 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1523 put_unaligned_le16(control, skb_put(skb, 2));
1524 if (sdulen)
1525 put_unaligned_le16(sdulen, skb_put(skb, 2));
1526
1527 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1528 if (unlikely(err < 0)) {
1529 kfree_skb(skb);
1530 return ERR_PTR(err);
1531 }
1532
1533 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1534 put_unaligned_le16(0, skb_put(skb, 2));
1535
1536 bt_cb(skb)->retries = 0;
1537 return skb;
1538 }
1539
1540 static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1541 {
1542 struct l2cap_pinfo *pi = l2cap_pi(sk);
1543 struct sk_buff *skb;
1544 struct sk_buff_head sar_queue;
1545 u16 control;
1546 size_t size = 0;
1547
1548 __skb_queue_head_init(&sar_queue);
1549 control = L2CAP_SDU_START;
1550 skb = l2cap_create_iframe_pdu(sk, msg, pi->max_pdu_size, control, len);
1551 if (IS_ERR(skb))
1552 return PTR_ERR(skb);
1553
1554 __skb_queue_tail(&sar_queue, skb);
1555 len -= pi->max_pdu_size;
1556 size +=pi->max_pdu_size;
1557 control = 0;
1558
1559 while (len > 0) {
1560 size_t buflen;
1561
1562 if (len > pi->max_pdu_size) {
1563 control |= L2CAP_SDU_CONTINUE;
1564 buflen = pi->max_pdu_size;
1565 } else {
1566 control |= L2CAP_SDU_END;
1567 buflen = len;
1568 }
1569
1570 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
1571 if (IS_ERR(skb)) {
1572 skb_queue_purge(&sar_queue);
1573 return PTR_ERR(skb);
1574 }
1575
1576 __skb_queue_tail(&sar_queue, skb);
1577 len -= buflen;
1578 size += buflen;
1579 control = 0;
1580 }
1581 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1582 if (sk->sk_send_head == NULL)
1583 sk->sk_send_head = sar_queue.next;
1584
1585 return size;
1586 }
1587
1588 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1589 {
1590 struct sock *sk = sock->sk;
1591 struct l2cap_pinfo *pi = l2cap_pi(sk);
1592 struct sk_buff *skb;
1593 u16 control;
1594 int err;
1595
1596 BT_DBG("sock %p, sk %p", sock, sk);
1597
1598 err = sock_error(sk);
1599 if (err)
1600 return err;
1601
1602 if (msg->msg_flags & MSG_OOB)
1603 return -EOPNOTSUPP;
1604
1605 /* Check outgoing MTU */
1606 if (sk->sk_type == SOCK_SEQPACKET && pi->mode == L2CAP_MODE_BASIC
1607 && len > pi->omtu)
1608 return -EINVAL;
1609
1610 lock_sock(sk);
1611
1612 if (sk->sk_state != BT_CONNECTED) {
1613 err = -ENOTCONN;
1614 goto done;
1615 }
1616
1617 /* Connectionless channel */
1618 if (sk->sk_type == SOCK_DGRAM) {
1619 skb = l2cap_create_connless_pdu(sk, msg, len);
1620 err = l2cap_do_send(sk, skb);
1621 goto done;
1622 }
1623
1624 switch (pi->mode) {
1625 case L2CAP_MODE_BASIC:
1626 /* Create a basic PDU */
1627 skb = l2cap_create_basic_pdu(sk, msg, len);
1628 if (IS_ERR(skb)) {
1629 err = PTR_ERR(skb);
1630 goto done;
1631 }
1632
1633 err = l2cap_do_send(sk, skb);
1634 if (!err)
1635 err = len;
1636 break;
1637
1638 case L2CAP_MODE_ERTM:
1639 case L2CAP_MODE_STREAMING:
1640 /* Entire SDU fits into one PDU */
1641 if (len <= pi->max_pdu_size) {
1642 control = L2CAP_SDU_UNSEGMENTED;
1643 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1644 if (IS_ERR(skb)) {
1645 err = PTR_ERR(skb);
1646 goto done;
1647 }
1648 __skb_queue_tail(TX_QUEUE(sk), skb);
1649 if (sk->sk_send_head == NULL)
1650 sk->sk_send_head = skb;
1651 } else {
1652 /* Segment SDU into multiples PDUs */
1653 err = l2cap_sar_segment_sdu(sk, msg, len);
1654 if (err < 0)
1655 goto done;
1656 }
1657
1658 if (pi->mode == L2CAP_MODE_STREAMING)
1659 err = l2cap_streaming_send(sk);
1660 else
1661 err = l2cap_ertm_send(sk);
1662
1663 if (!err)
1664 err = len;
1665 break;
1666
1667 default:
1668 BT_DBG("bad state %1.1x", pi->mode);
1669 err = -EINVAL;
1670 }
1671
1672 done:
1673 release_sock(sk);
1674 return err;
1675 }
1676
1677 static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1678 {
1679 struct sock *sk = sock->sk;
1680
1681 lock_sock(sk);
1682
1683 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1684 struct l2cap_conn_rsp rsp;
1685
1686 sk->sk_state = BT_CONFIG;
1687
1688 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1689 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1690 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1691 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1692 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1693 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1694
1695 release_sock(sk);
1696 return 0;
1697 }
1698
1699 release_sock(sk);
1700
1701 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1702 }
1703
1704 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1705 {
1706 struct sock *sk = sock->sk;
1707 struct l2cap_options opts;
1708 int len, err = 0;
1709 u32 opt;
1710
1711 BT_DBG("sk %p", sk);
1712
1713 lock_sock(sk);
1714
1715 switch (optname) {
1716 case L2CAP_OPTIONS:
1717 opts.imtu = l2cap_pi(sk)->imtu;
1718 opts.omtu = l2cap_pi(sk)->omtu;
1719 opts.flush_to = l2cap_pi(sk)->flush_to;
1720 opts.mode = l2cap_pi(sk)->mode;
1721 opts.fcs = l2cap_pi(sk)->fcs;
1722
1723 len = min_t(unsigned int, sizeof(opts), optlen);
1724 if (copy_from_user((char *) &opts, optval, len)) {
1725 err = -EFAULT;
1726 break;
1727 }
1728
1729 l2cap_pi(sk)->imtu = opts.imtu;
1730 l2cap_pi(sk)->omtu = opts.omtu;
1731 l2cap_pi(sk)->mode = opts.mode;
1732 l2cap_pi(sk)->fcs = opts.fcs;
1733 break;
1734
1735 case L2CAP_LM:
1736 if (get_user(opt, (u32 __user *) optval)) {
1737 err = -EFAULT;
1738 break;
1739 }
1740
1741 if (opt & L2CAP_LM_AUTH)
1742 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1743 if (opt & L2CAP_LM_ENCRYPT)
1744 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1745 if (opt & L2CAP_LM_SECURE)
1746 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1747
1748 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1749 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1750 break;
1751
1752 default:
1753 err = -ENOPROTOOPT;
1754 break;
1755 }
1756
1757 release_sock(sk);
1758 return err;
1759 }
1760
1761 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
1762 {
1763 struct sock *sk = sock->sk;
1764 struct bt_security sec;
1765 int len, err = 0;
1766 u32 opt;
1767
1768 BT_DBG("sk %p", sk);
1769
1770 if (level == SOL_L2CAP)
1771 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
1772
1773 if (level != SOL_BLUETOOTH)
1774 return -ENOPROTOOPT;
1775
1776 lock_sock(sk);
1777
1778 switch (optname) {
1779 case BT_SECURITY:
1780 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1781 err = -EINVAL;
1782 break;
1783 }
1784
1785 sec.level = BT_SECURITY_LOW;
1786
1787 len = min_t(unsigned int, sizeof(sec), optlen);
1788 if (copy_from_user((char *) &sec, optval, len)) {
1789 err = -EFAULT;
1790 break;
1791 }
1792
1793 if (sec.level < BT_SECURITY_LOW ||
1794 sec.level > BT_SECURITY_HIGH) {
1795 err = -EINVAL;
1796 break;
1797 }
1798
1799 l2cap_pi(sk)->sec_level = sec.level;
1800 break;
1801
1802 case BT_DEFER_SETUP:
1803 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1804 err = -EINVAL;
1805 break;
1806 }
1807
1808 if (get_user(opt, (u32 __user *) optval)) {
1809 err = -EFAULT;
1810 break;
1811 }
1812
1813 bt_sk(sk)->defer_setup = opt;
1814 break;
1815
1816 default:
1817 err = -ENOPROTOOPT;
1818 break;
1819 }
1820
1821 release_sock(sk);
1822 return err;
1823 }
1824
1825 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1826 {
1827 struct sock *sk = sock->sk;
1828 struct l2cap_options opts;
1829 struct l2cap_conninfo cinfo;
1830 int len, err = 0;
1831 u32 opt;
1832
1833 BT_DBG("sk %p", sk);
1834
1835 if (get_user(len, optlen))
1836 return -EFAULT;
1837
1838 lock_sock(sk);
1839
1840 switch (optname) {
1841 case L2CAP_OPTIONS:
1842 opts.imtu = l2cap_pi(sk)->imtu;
1843 opts.omtu = l2cap_pi(sk)->omtu;
1844 opts.flush_to = l2cap_pi(sk)->flush_to;
1845 opts.mode = l2cap_pi(sk)->mode;
1846 opts.fcs = l2cap_pi(sk)->fcs;
1847
1848 len = min_t(unsigned int, len, sizeof(opts));
1849 if (copy_to_user(optval, (char *) &opts, len))
1850 err = -EFAULT;
1851
1852 break;
1853
1854 case L2CAP_LM:
1855 switch (l2cap_pi(sk)->sec_level) {
1856 case BT_SECURITY_LOW:
1857 opt = L2CAP_LM_AUTH;
1858 break;
1859 case BT_SECURITY_MEDIUM:
1860 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
1861 break;
1862 case BT_SECURITY_HIGH:
1863 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
1864 L2CAP_LM_SECURE;
1865 break;
1866 default:
1867 opt = 0;
1868 break;
1869 }
1870
1871 if (l2cap_pi(sk)->role_switch)
1872 opt |= L2CAP_LM_MASTER;
1873
1874 if (l2cap_pi(sk)->force_reliable)
1875 opt |= L2CAP_LM_RELIABLE;
1876
1877 if (put_user(opt, (u32 __user *) optval))
1878 err = -EFAULT;
1879 break;
1880
1881 case L2CAP_CONNINFO:
1882 if (sk->sk_state != BT_CONNECTED &&
1883 !(sk->sk_state == BT_CONNECT2 &&
1884 bt_sk(sk)->defer_setup)) {
1885 err = -ENOTCONN;
1886 break;
1887 }
1888
1889 memset(&cinfo, 0, sizeof(cinfo));
1890 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
1891 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
1892
1893 len = min_t(unsigned int, len, sizeof(cinfo));
1894 if (copy_to_user(optval, (char *) &cinfo, len))
1895 err = -EFAULT;
1896
1897 break;
1898
1899 default:
1900 err = -ENOPROTOOPT;
1901 break;
1902 }
1903
1904 release_sock(sk);
1905 return err;
1906 }
1907
1908 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
1909 {
1910 struct sock *sk = sock->sk;
1911 struct bt_security sec;
1912 int len, err = 0;
1913
1914 BT_DBG("sk %p", sk);
1915
1916 if (level == SOL_L2CAP)
1917 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
1918
1919 if (level != SOL_BLUETOOTH)
1920 return -ENOPROTOOPT;
1921
1922 if (get_user(len, optlen))
1923 return -EFAULT;
1924
1925 lock_sock(sk);
1926
1927 switch (optname) {
1928 case BT_SECURITY:
1929 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_RAW) {
1930 err = -EINVAL;
1931 break;
1932 }
1933
1934 sec.level = l2cap_pi(sk)->sec_level;
1935
1936 len = min_t(unsigned int, len, sizeof(sec));
1937 if (copy_to_user(optval, (char *) &sec, len))
1938 err = -EFAULT;
1939
1940 break;
1941
1942 case BT_DEFER_SETUP:
1943 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
1944 err = -EINVAL;
1945 break;
1946 }
1947
1948 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
1949 err = -EFAULT;
1950
1951 break;
1952
1953 default:
1954 err = -ENOPROTOOPT;
1955 break;
1956 }
1957
1958 release_sock(sk);
1959 return err;
1960 }
1961
1962 static int l2cap_sock_shutdown(struct socket *sock, int how)
1963 {
1964 struct sock *sk = sock->sk;
1965 int err = 0;
1966
1967 BT_DBG("sock %p, sk %p", sock, sk);
1968
1969 if (!sk)
1970 return 0;
1971
1972 lock_sock(sk);
1973 if (!sk->sk_shutdown) {
1974 sk->sk_shutdown = SHUTDOWN_MASK;
1975 l2cap_sock_clear_timer(sk);
1976 __l2cap_sock_close(sk, 0);
1977
1978 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
1979 err = bt_sock_wait_state(sk, BT_CLOSED,
1980 sk->sk_lingertime);
1981 }
1982 release_sock(sk);
1983 return err;
1984 }
1985
1986 static int l2cap_sock_release(struct socket *sock)
1987 {
1988 struct sock *sk = sock->sk;
1989 int err;
1990
1991 BT_DBG("sock %p, sk %p", sock, sk);
1992
1993 if (!sk)
1994 return 0;
1995
1996 err = l2cap_sock_shutdown(sock, 2);
1997
1998 sock_orphan(sk);
1999 l2cap_sock_kill(sk);
2000 return err;
2001 }
2002
2003 static void l2cap_chan_ready(struct sock *sk)
2004 {
2005 struct sock *parent = bt_sk(sk)->parent;
2006
2007 BT_DBG("sk %p, parent %p", sk, parent);
2008
2009 l2cap_pi(sk)->conf_state = 0;
2010 l2cap_sock_clear_timer(sk);
2011
2012 if (!parent) {
2013 /* Outgoing channel.
2014 * Wake up socket sleeping on connect.
2015 */
2016 sk->sk_state = BT_CONNECTED;
2017 sk->sk_state_change(sk);
2018 } else {
2019 /* Incoming channel.
2020 * Wake up socket sleeping on accept.
2021 */
2022 parent->sk_data_ready(parent, 0);
2023 }
2024 }
2025
2026 /* Copy frame to all raw sockets on that connection */
2027 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2028 {
2029 struct l2cap_chan_list *l = &conn->chan_list;
2030 struct sk_buff *nskb;
2031 struct sock *sk;
2032
2033 BT_DBG("conn %p", conn);
2034
2035 read_lock(&l->lock);
2036 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2037 if (sk->sk_type != SOCK_RAW)
2038 continue;
2039
2040 /* Don't send frame to the socket it came from */
2041 if (skb->sk == sk)
2042 continue;
2043 nskb = skb_clone(skb, GFP_ATOMIC);
2044 if (!nskb)
2045 continue;
2046
2047 if (sock_queue_rcv_skb(sk, nskb))
2048 kfree_skb(nskb);
2049 }
2050 read_unlock(&l->lock);
2051 }
2052
2053 /* ---- L2CAP signalling commands ---- */
2054 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2055 u8 code, u8 ident, u16 dlen, void *data)
2056 {
2057 struct sk_buff *skb, **frag;
2058 struct l2cap_cmd_hdr *cmd;
2059 struct l2cap_hdr *lh;
2060 int len, count;
2061
2062 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2063 conn, code, ident, dlen);
2064
2065 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2066 count = min_t(unsigned int, conn->mtu, len);
2067
2068 skb = bt_skb_alloc(count, GFP_ATOMIC);
2069 if (!skb)
2070 return NULL;
2071
2072 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2073 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2074 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2075
2076 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2077 cmd->code = code;
2078 cmd->ident = ident;
2079 cmd->len = cpu_to_le16(dlen);
2080
2081 if (dlen) {
2082 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2083 memcpy(skb_put(skb, count), data, count);
2084 data += count;
2085 }
2086
2087 len -= skb->len;
2088
2089 /* Continuation fragments (no L2CAP header) */
2090 frag = &skb_shinfo(skb)->frag_list;
2091 while (len) {
2092 count = min_t(unsigned int, conn->mtu, len);
2093
2094 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2095 if (!*frag)
2096 goto fail;
2097
2098 memcpy(skb_put(*frag, count), data, count);
2099
2100 len -= count;
2101 data += count;
2102
2103 frag = &(*frag)->next;
2104 }
2105
2106 return skb;
2107
2108 fail:
2109 kfree_skb(skb);
2110 return NULL;
2111 }
2112
2113 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2114 {
2115 struct l2cap_conf_opt *opt = *ptr;
2116 int len;
2117
2118 len = L2CAP_CONF_OPT_SIZE + opt->len;
2119 *ptr += len;
2120
2121 *type = opt->type;
2122 *olen = opt->len;
2123
2124 switch (opt->len) {
2125 case 1:
2126 *val = *((u8 *) opt->val);
2127 break;
2128
2129 case 2:
2130 *val = __le16_to_cpu(*((__le16 *) opt->val));
2131 break;
2132
2133 case 4:
2134 *val = __le32_to_cpu(*((__le32 *) opt->val));
2135 break;
2136
2137 default:
2138 *val = (unsigned long) opt->val;
2139 break;
2140 }
2141
2142 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2143 return len;
2144 }
2145
2146 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2147 {
2148 struct l2cap_conf_opt *opt = *ptr;
2149
2150 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2151
2152 opt->type = type;
2153 opt->len = len;
2154
2155 switch (len) {
2156 case 1:
2157 *((u8 *) opt->val) = val;
2158 break;
2159
2160 case 2:
2161 *((__le16 *) opt->val) = cpu_to_le16(val);
2162 break;
2163
2164 case 4:
2165 *((__le32 *) opt->val) = cpu_to_le32(val);
2166 break;
2167
2168 default:
2169 memcpy(opt->val, (void *) val, len);
2170 break;
2171 }
2172
2173 *ptr += L2CAP_CONF_OPT_SIZE + len;
2174 }
2175
2176 static int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
2177 {
2178 u32 local_feat_mask = l2cap_feat_mask;
2179 if (enable_ertm)
2180 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
2181
2182 switch (mode) {
2183 case L2CAP_MODE_ERTM:
2184 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
2185 case L2CAP_MODE_STREAMING:
2186 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
2187 default:
2188 return 0x00;
2189 }
2190 }
2191
2192 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2193 {
2194 switch (mode) {
2195 case L2CAP_MODE_STREAMING:
2196 case L2CAP_MODE_ERTM:
2197 if (l2cap_mode_supported(mode, remote_feat_mask))
2198 return mode;
2199 /* fall through */
2200 default:
2201 return L2CAP_MODE_BASIC;
2202 }
2203 }
2204
2205 static int l2cap_build_conf_req(struct sock *sk, void *data)
2206 {
2207 struct l2cap_pinfo *pi = l2cap_pi(sk);
2208 struct l2cap_conf_req *req = data;
2209 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2210 void *ptr = req->data;
2211
2212 BT_DBG("sk %p", sk);
2213
2214 if (pi->num_conf_req || pi->num_conf_rsp)
2215 goto done;
2216
2217 switch (pi->mode) {
2218 case L2CAP_MODE_STREAMING:
2219 case L2CAP_MODE_ERTM:
2220 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2221 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2222 l2cap_send_disconn_req(pi->conn, sk);
2223 break;
2224 default:
2225 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2226 break;
2227 }
2228
2229 done:
2230 switch (pi->mode) {
2231 case L2CAP_MODE_BASIC:
2232 if (pi->imtu != L2CAP_DEFAULT_MTU)
2233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2234 break;
2235
2236 case L2CAP_MODE_ERTM:
2237 rfc.mode = L2CAP_MODE_ERTM;
2238 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2239 rfc.max_transmit = L2CAP_DEFAULT_MAX_TX;
2240 rfc.retrans_timeout = 0;
2241 rfc.monitor_timeout = 0;
2242 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2243
2244 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2245 sizeof(rfc), (unsigned long) &rfc);
2246
2247 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2248 break;
2249
2250 if (pi->fcs == L2CAP_FCS_NONE ||
2251 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2252 pi->fcs = L2CAP_FCS_NONE;
2253 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2254 }
2255 break;
2256
2257 case L2CAP_MODE_STREAMING:
2258 rfc.mode = L2CAP_MODE_STREAMING;
2259 rfc.txwin_size = 0;
2260 rfc.max_transmit = 0;
2261 rfc.retrans_timeout = 0;
2262 rfc.monitor_timeout = 0;
2263 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
2264
2265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2266 sizeof(rfc), (unsigned long) &rfc);
2267
2268 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2269 break;
2270
2271 if (pi->fcs == L2CAP_FCS_NONE ||
2272 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2273 pi->fcs = L2CAP_FCS_NONE;
2274 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2275 }
2276 break;
2277 }
2278
2279 /* FIXME: Need actual value of the flush timeout */
2280 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2281 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2282
2283 req->dcid = cpu_to_le16(pi->dcid);
2284 req->flags = cpu_to_le16(0);
2285
2286 return ptr - data;
2287 }
2288
2289 static int l2cap_parse_conf_req(struct sock *sk, void *data)
2290 {
2291 struct l2cap_pinfo *pi = l2cap_pi(sk);
2292 struct l2cap_conf_rsp *rsp = data;
2293 void *ptr = rsp->data;
2294 void *req = pi->conf_req;
2295 int len = pi->conf_len;
2296 int type, hint, olen;
2297 unsigned long val;
2298 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2299 u16 mtu = L2CAP_DEFAULT_MTU;
2300 u16 result = L2CAP_CONF_SUCCESS;
2301
2302 BT_DBG("sk %p", sk);
2303
2304 while (len >= L2CAP_CONF_OPT_SIZE) {
2305 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2306
2307 hint = type & L2CAP_CONF_HINT;
2308 type &= L2CAP_CONF_MASK;
2309
2310 switch (type) {
2311 case L2CAP_CONF_MTU:
2312 mtu = val;
2313 break;
2314
2315 case L2CAP_CONF_FLUSH_TO:
2316 pi->flush_to = val;
2317 break;
2318
2319 case L2CAP_CONF_QOS:
2320 break;
2321
2322 case L2CAP_CONF_RFC:
2323 if (olen == sizeof(rfc))
2324 memcpy(&rfc, (void *) val, olen);
2325 break;
2326
2327 case L2CAP_CONF_FCS:
2328 if (val == L2CAP_FCS_NONE)
2329 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2330
2331 break;
2332
2333 default:
2334 if (hint)
2335 break;
2336
2337 result = L2CAP_CONF_UNKNOWN;
2338 *((u8 *) ptr++) = type;
2339 break;
2340 }
2341 }
2342
2343 if (pi->num_conf_rsp || pi->num_conf_req)
2344 goto done;
2345
2346 switch (pi->mode) {
2347 case L2CAP_MODE_STREAMING:
2348 case L2CAP_MODE_ERTM:
2349 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
2350 if (!l2cap_mode_supported(pi->mode, pi->conn->feat_mask))
2351 return -ECONNREFUSED;
2352 break;
2353 default:
2354 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2355 break;
2356 }
2357
2358 done:
2359 if (pi->mode != rfc.mode) {
2360 result = L2CAP_CONF_UNACCEPT;
2361 rfc.mode = pi->mode;
2362
2363 if (pi->num_conf_rsp == 1)
2364 return -ECONNREFUSED;
2365
2366 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2367 sizeof(rfc), (unsigned long) &rfc);
2368 }
2369
2370
2371 if (result == L2CAP_CONF_SUCCESS) {
2372 /* Configure output options and let the other side know
2373 * which ones we don't like. */
2374
2375 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2376 result = L2CAP_CONF_UNACCEPT;
2377 else {
2378 pi->omtu = mtu;
2379 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2380 }
2381 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2382
2383 switch (rfc.mode) {
2384 case L2CAP_MODE_BASIC:
2385 pi->fcs = L2CAP_FCS_NONE;
2386 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2387 break;
2388
2389 case L2CAP_MODE_ERTM:
2390 pi->remote_tx_win = rfc.txwin_size;
2391 pi->remote_max_tx = rfc.max_transmit;
2392 pi->max_pdu_size = rfc.max_pdu_size;
2393
2394 rfc.retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
2395 rfc.monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
2396
2397 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2398
2399 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2400 sizeof(rfc), (unsigned long) &rfc);
2401
2402 break;
2403
2404 case L2CAP_MODE_STREAMING:
2405 pi->remote_tx_win = rfc.txwin_size;
2406 pi->max_pdu_size = rfc.max_pdu_size;
2407
2408 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2409
2410 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2411 sizeof(rfc), (unsigned long) &rfc);
2412
2413 break;
2414
2415 default:
2416 result = L2CAP_CONF_UNACCEPT;
2417
2418 memset(&rfc, 0, sizeof(rfc));
2419 rfc.mode = pi->mode;
2420 }
2421
2422 if (result == L2CAP_CONF_SUCCESS)
2423 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2424 }
2425 rsp->scid = cpu_to_le16(pi->dcid);
2426 rsp->result = cpu_to_le16(result);
2427 rsp->flags = cpu_to_le16(0x0000);
2428
2429 return ptr - data;
2430 }
2431
2432 static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2433 {
2434 struct l2cap_pinfo *pi = l2cap_pi(sk);
2435 struct l2cap_conf_req *req = data;
2436 void *ptr = req->data;
2437 int type, olen;
2438 unsigned long val;
2439 struct l2cap_conf_rfc rfc;
2440
2441 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2442
2443 while (len >= L2CAP_CONF_OPT_SIZE) {
2444 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2445
2446 switch (type) {
2447 case L2CAP_CONF_MTU:
2448 if (val < L2CAP_DEFAULT_MIN_MTU) {
2449 *result = L2CAP_CONF_UNACCEPT;
2450 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2451 } else
2452 pi->omtu = val;
2453 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2454 break;
2455
2456 case L2CAP_CONF_FLUSH_TO:
2457 pi->flush_to = val;
2458 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2459 2, pi->flush_to);
2460 break;
2461
2462 case L2CAP_CONF_RFC:
2463 if (olen == sizeof(rfc))
2464 memcpy(&rfc, (void *)val, olen);
2465
2466 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2467 rfc.mode != pi->mode)
2468 return -ECONNREFUSED;
2469
2470 pi->mode = rfc.mode;
2471 pi->fcs = 0;
2472
2473 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2474 sizeof(rfc), (unsigned long) &rfc);
2475 break;
2476 }
2477 }
2478
2479 if (*result == L2CAP_CONF_SUCCESS) {
2480 switch (rfc.mode) {
2481 case L2CAP_MODE_ERTM:
2482 pi->remote_tx_win = rfc.txwin_size;
2483 pi->retrans_timeout = rfc.retrans_timeout;
2484 pi->monitor_timeout = rfc.monitor_timeout;
2485 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2486 break;
2487 case L2CAP_MODE_STREAMING:
2488 pi->max_pdu_size = le16_to_cpu(rfc.max_pdu_size);
2489 break;
2490 }
2491 }
2492
2493 req->dcid = cpu_to_le16(pi->dcid);
2494 req->flags = cpu_to_le16(0x0000);
2495
2496 return ptr - data;
2497 }
2498
2499 static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
2500 {
2501 struct l2cap_conf_rsp *rsp = data;
2502 void *ptr = rsp->data;
2503
2504 BT_DBG("sk %p", sk);
2505
2506 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2507 rsp->result = cpu_to_le16(result);
2508 rsp->flags = cpu_to_le16(flags);
2509
2510 return ptr - data;
2511 }
2512
2513 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2514 {
2515 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2516
2517 if (rej->reason != 0x0000)
2518 return 0;
2519
2520 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2521 cmd->ident == conn->info_ident) {
2522 del_timer(&conn->info_timer);
2523
2524 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2525 conn->info_ident = 0;
2526
2527 l2cap_conn_start(conn);
2528 }
2529
2530 return 0;
2531 }
2532
2533 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2534 {
2535 struct l2cap_chan_list *list = &conn->chan_list;
2536 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2537 struct l2cap_conn_rsp rsp;
2538 struct sock *sk, *parent;
2539 int result, status = L2CAP_CS_NO_INFO;
2540
2541 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2542 __le16 psm = req->psm;
2543
2544 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2545
2546 /* Check if we have socket listening on psm */
2547 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2548 if (!parent) {
2549 result = L2CAP_CR_BAD_PSM;
2550 goto sendresp;
2551 }
2552
2553 /* Check if the ACL is secure enough (if not SDP) */
2554 if (psm != cpu_to_le16(0x0001) &&
2555 !hci_conn_check_link_mode(conn->hcon)) {
2556 conn->disc_reason = 0x05;
2557 result = L2CAP_CR_SEC_BLOCK;
2558 goto response;
2559 }
2560
2561 result = L2CAP_CR_NO_MEM;
2562
2563 /* Check for backlog size */
2564 if (sk_acceptq_is_full(parent)) {
2565 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2566 goto response;
2567 }
2568
2569 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
2570 if (!sk)
2571 goto response;
2572
2573 write_lock_bh(&list->lock);
2574
2575 /* Check if we already have channel with that dcid */
2576 if (__l2cap_get_chan_by_dcid(list, scid)) {
2577 write_unlock_bh(&list->lock);
2578 sock_set_flag(sk, SOCK_ZAPPED);
2579 l2cap_sock_kill(sk);
2580 goto response;
2581 }
2582
2583 hci_conn_hold(conn->hcon);
2584
2585 l2cap_sock_init(sk, parent);
2586 bacpy(&bt_sk(sk)->src, conn->src);
2587 bacpy(&bt_sk(sk)->dst, conn->dst);
2588 l2cap_pi(sk)->psm = psm;
2589 l2cap_pi(sk)->dcid = scid;
2590
2591 __l2cap_chan_add(conn, sk, parent);
2592 dcid = l2cap_pi(sk)->scid;
2593
2594 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2595
2596 l2cap_pi(sk)->ident = cmd->ident;
2597
2598 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2599 if (l2cap_check_security(sk)) {
2600 if (bt_sk(sk)->defer_setup) {
2601 sk->sk_state = BT_CONNECT2;
2602 result = L2CAP_CR_PEND;
2603 status = L2CAP_CS_AUTHOR_PEND;
2604 parent->sk_data_ready(parent, 0);
2605 } else {
2606 sk->sk_state = BT_CONFIG;
2607 result = L2CAP_CR_SUCCESS;
2608 status = L2CAP_CS_NO_INFO;
2609 }
2610 } else {
2611 sk->sk_state = BT_CONNECT2;
2612 result = L2CAP_CR_PEND;
2613 status = L2CAP_CS_AUTHEN_PEND;
2614 }
2615 } else {
2616 sk->sk_state = BT_CONNECT2;
2617 result = L2CAP_CR_PEND;
2618 status = L2CAP_CS_NO_INFO;
2619 }
2620
2621 write_unlock_bh(&list->lock);
2622
2623 response:
2624 bh_unlock_sock(parent);
2625
2626 sendresp:
2627 rsp.scid = cpu_to_le16(scid);
2628 rsp.dcid = cpu_to_le16(dcid);
2629 rsp.result = cpu_to_le16(result);
2630 rsp.status = cpu_to_le16(status);
2631 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2632
2633 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2634 struct l2cap_info_req info;
2635 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2636
2637 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2638 conn->info_ident = l2cap_get_ident(conn);
2639
2640 mod_timer(&conn->info_timer, jiffies +
2641 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2642
2643 l2cap_send_cmd(conn, conn->info_ident,
2644 L2CAP_INFO_REQ, sizeof(info), &info);
2645 }
2646
2647 return 0;
2648 }
2649
2650 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2651 {
2652 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2653 u16 scid, dcid, result, status;
2654 struct sock *sk;
2655 u8 req[128];
2656
2657 scid = __le16_to_cpu(rsp->scid);
2658 dcid = __le16_to_cpu(rsp->dcid);
2659 result = __le16_to_cpu(rsp->result);
2660 status = __le16_to_cpu(rsp->status);
2661
2662 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2663
2664 if (scid) {
2665 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2666 if (!sk)
2667 return 0;
2668 } else {
2669 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2670 if (!sk)
2671 return 0;
2672 }
2673
2674 switch (result) {
2675 case L2CAP_CR_SUCCESS:
2676 sk->sk_state = BT_CONFIG;
2677 l2cap_pi(sk)->ident = 0;
2678 l2cap_pi(sk)->dcid = dcid;
2679 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
2680
2681 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2682
2683 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2684 l2cap_build_conf_req(sk, req), req);
2685 l2cap_pi(sk)->num_conf_req++;
2686 break;
2687
2688 case L2CAP_CR_PEND:
2689 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
2690 break;
2691
2692 default:
2693 l2cap_chan_del(sk, ECONNREFUSED);
2694 break;
2695 }
2696
2697 bh_unlock_sock(sk);
2698 return 0;
2699 }
2700
2701 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2702 {
2703 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2704 u16 dcid, flags;
2705 u8 rsp[64];
2706 struct sock *sk;
2707 int len;
2708
2709 dcid = __le16_to_cpu(req->dcid);
2710 flags = __le16_to_cpu(req->flags);
2711
2712 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2713
2714 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2715 if (!sk)
2716 return -ENOENT;
2717
2718 if (sk->sk_state == BT_DISCONN)
2719 goto unlock;
2720
2721 /* Reject if config buffer is too small. */
2722 len = cmd_len - sizeof(*req);
2723 if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
2724 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2725 l2cap_build_conf_rsp(sk, rsp,
2726 L2CAP_CONF_REJECT, flags), rsp);
2727 goto unlock;
2728 }
2729
2730 /* Store config. */
2731 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
2732 l2cap_pi(sk)->conf_len += len;
2733
2734 if (flags & 0x0001) {
2735 /* Incomplete config. Send empty response. */
2736 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2737 l2cap_build_conf_rsp(sk, rsp,
2738 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2739 goto unlock;
2740 }
2741
2742 /* Complete config. */
2743 len = l2cap_parse_conf_req(sk, rsp);
2744 if (len < 0) {
2745 l2cap_send_disconn_req(conn, sk);
2746 goto unlock;
2747 }
2748
2749 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2750 l2cap_pi(sk)->num_conf_rsp++;
2751
2752 /* Reset config buffer. */
2753 l2cap_pi(sk)->conf_len = 0;
2754
2755 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
2756 goto unlock;
2757
2758 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
2759 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2760 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2761 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2762
2763 sk->sk_state = BT_CONNECTED;
2764 l2cap_pi(sk)->next_tx_seq = 0;
2765 l2cap_pi(sk)->expected_ack_seq = 0;
2766 l2cap_pi(sk)->unacked_frames = 0;
2767
2768 setup_timer(&l2cap_pi(sk)->retrans_timer,
2769 l2cap_retrans_timeout, (unsigned long) sk);
2770 setup_timer(&l2cap_pi(sk)->monitor_timer,
2771 l2cap_monitor_timeout, (unsigned long) sk);
2772
2773 __skb_queue_head_init(TX_QUEUE(sk));
2774 __skb_queue_head_init(SREJ_QUEUE(sk));
2775 l2cap_chan_ready(sk);
2776 goto unlock;
2777 }
2778
2779 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
2780 u8 buf[64];
2781 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2782 l2cap_build_conf_req(sk, buf), buf);
2783 l2cap_pi(sk)->num_conf_req++;
2784 }
2785
2786 unlock:
2787 bh_unlock_sock(sk);
2788 return 0;
2789 }
2790
2791 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2792 {
2793 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2794 u16 scid, flags, result;
2795 struct sock *sk;
2796
2797 scid = __le16_to_cpu(rsp->scid);
2798 flags = __le16_to_cpu(rsp->flags);
2799 result = __le16_to_cpu(rsp->result);
2800
2801 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2802 scid, flags, result);
2803
2804 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2805 if (!sk)
2806 return 0;
2807
2808 switch (result) {
2809 case L2CAP_CONF_SUCCESS:
2810 break;
2811
2812 case L2CAP_CONF_UNACCEPT:
2813 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2814 int len = cmd->len - sizeof(*rsp);
2815 char req[64];
2816
2817 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2818 l2cap_send_disconn_req(conn, sk);
2819 goto done;
2820 }
2821
2822 /* throw out any old stored conf requests */
2823 result = L2CAP_CONF_SUCCESS;
2824 len = l2cap_parse_conf_rsp(sk, rsp->data,
2825 len, req, &result);
2826 if (len < 0) {
2827 l2cap_send_disconn_req(conn, sk);
2828 goto done;
2829 }
2830
2831 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2832 L2CAP_CONF_REQ, len, req);
2833 l2cap_pi(sk)->num_conf_req++;
2834 if (result != L2CAP_CONF_SUCCESS)
2835 goto done;
2836 break;
2837 }
2838
2839 default:
2840 sk->sk_state = BT_DISCONN;
2841 sk->sk_err = ECONNRESET;
2842 l2cap_sock_set_timer(sk, HZ * 5);
2843 l2cap_send_disconn_req(conn, sk);
2844 goto done;
2845 }
2846
2847 if (flags & 0x01)
2848 goto done;
2849
2850 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
2851
2852 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2853 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV)
2854 || l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
2855 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
2856
2857 sk->sk_state = BT_CONNECTED;
2858 l2cap_pi(sk)->expected_tx_seq = 0;
2859 l2cap_pi(sk)->buffer_seq = 0;
2860 l2cap_pi(sk)->num_to_ack = 0;
2861 __skb_queue_head_init(TX_QUEUE(sk));
2862 __skb_queue_head_init(SREJ_QUEUE(sk));
2863 l2cap_chan_ready(sk);
2864 }
2865
2866 done:
2867 bh_unlock_sock(sk);
2868 return 0;
2869 }
2870
2871 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2872 {
2873 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2874 struct l2cap_disconn_rsp rsp;
2875 u16 dcid, scid;
2876 struct sock *sk;
2877
2878 scid = __le16_to_cpu(req->scid);
2879 dcid = __le16_to_cpu(req->dcid);
2880
2881 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2882
2883 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
2884 if (!sk)
2885 return 0;
2886
2887 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
2888 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
2889 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2890
2891 sk->sk_shutdown = SHUTDOWN_MASK;
2892
2893 skb_queue_purge(TX_QUEUE(sk));
2894 skb_queue_purge(SREJ_QUEUE(sk));
2895 del_timer(&l2cap_pi(sk)->retrans_timer);
2896 del_timer(&l2cap_pi(sk)->monitor_timer);
2897
2898 l2cap_chan_del(sk, ECONNRESET);
2899 bh_unlock_sock(sk);
2900
2901 l2cap_sock_kill(sk);
2902 return 0;
2903 }
2904
2905 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2906 {
2907 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2908 u16 dcid, scid;
2909 struct sock *sk;
2910
2911 scid = __le16_to_cpu(rsp->scid);
2912 dcid = __le16_to_cpu(rsp->dcid);
2913
2914 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2915
2916 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2917 if (!sk)
2918 return 0;
2919
2920 skb_queue_purge(TX_QUEUE(sk));
2921 skb_queue_purge(SREJ_QUEUE(sk));
2922 del_timer(&l2cap_pi(sk)->retrans_timer);
2923 del_timer(&l2cap_pi(sk)->monitor_timer);
2924
2925 l2cap_chan_del(sk, 0);
2926 bh_unlock_sock(sk);
2927
2928 l2cap_sock_kill(sk);
2929 return 0;
2930 }
2931
2932 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2933 {
2934 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2935 u16 type;
2936
2937 type = __le16_to_cpu(req->type);
2938
2939 BT_DBG("type 0x%4.4x", type);
2940
2941 if (type == L2CAP_IT_FEAT_MASK) {
2942 u8 buf[8];
2943 u32 feat_mask = l2cap_feat_mask;
2944 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2945 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2946 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2947 if (enable_ertm)
2948 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2949 | L2CAP_FEAT_FCS;
2950 put_unaligned_le32(feat_mask, rsp->data);
2951 l2cap_send_cmd(conn, cmd->ident,
2952 L2CAP_INFO_RSP, sizeof(buf), buf);
2953 } else if (type == L2CAP_IT_FIXED_CHAN) {
2954 u8 buf[12];
2955 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2956 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2957 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2958 memcpy(buf + 4, l2cap_fixed_chan, 8);
2959 l2cap_send_cmd(conn, cmd->ident,
2960 L2CAP_INFO_RSP, sizeof(buf), buf);
2961 } else {
2962 struct l2cap_info_rsp rsp;
2963 rsp.type = cpu_to_le16(type);
2964 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2965 l2cap_send_cmd(conn, cmd->ident,
2966 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2967 }
2968
2969 return 0;
2970 }
2971
2972 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2973 {
2974 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2975 u16 type, result;
2976
2977 type = __le16_to_cpu(rsp->type);
2978 result = __le16_to_cpu(rsp->result);
2979
2980 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2981
2982 del_timer(&conn->info_timer);
2983
2984 if (type == L2CAP_IT_FEAT_MASK) {
2985 conn->feat_mask = get_unaligned_le32(rsp->data);
2986
2987 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2988 struct l2cap_info_req req;
2989 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2990
2991 conn->info_ident = l2cap_get_ident(conn);
2992
2993 l2cap_send_cmd(conn, conn->info_ident,
2994 L2CAP_INFO_REQ, sizeof(req), &req);
2995 } else {
2996 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2997 conn->info_ident = 0;
2998
2999 l2cap_conn_start(conn);
3000 }
3001 } else if (type == L2CAP_IT_FIXED_CHAN) {
3002 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3003 conn->info_ident = 0;
3004
3005 l2cap_conn_start(conn);
3006 }
3007
3008 return 0;
3009 }
3010
3011 static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3012 {
3013 u8 *data = skb->data;
3014 int len = skb->len;
3015 struct l2cap_cmd_hdr cmd;
3016 int err = 0;
3017
3018 l2cap_raw_recv(conn, skb);
3019
3020 while (len >= L2CAP_CMD_HDR_SIZE) {
3021 u16 cmd_len;
3022 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3023 data += L2CAP_CMD_HDR_SIZE;
3024 len -= L2CAP_CMD_HDR_SIZE;
3025
3026 cmd_len = le16_to_cpu(cmd.len);
3027
3028 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3029
3030 if (cmd_len > len || !cmd.ident) {
3031 BT_DBG("corrupted command");
3032 break;
3033 }
3034
3035 switch (cmd.code) {
3036 case L2CAP_COMMAND_REJ:
3037 l2cap_command_rej(conn, &cmd, data);
3038 break;
3039
3040 case L2CAP_CONN_REQ:
3041 err = l2cap_connect_req(conn, &cmd, data);
3042 break;
3043
3044 case L2CAP_CONN_RSP:
3045 err = l2cap_connect_rsp(conn, &cmd, data);
3046 break;
3047
3048 case L2CAP_CONF_REQ:
3049 err = l2cap_config_req(conn, &cmd, cmd_len, data);
3050 break;
3051
3052 case L2CAP_CONF_RSP:
3053 err = l2cap_config_rsp(conn, &cmd, data);
3054 break;
3055
3056 case L2CAP_DISCONN_REQ:
3057 err = l2cap_disconnect_req(conn, &cmd, data);
3058 break;
3059
3060 case L2CAP_DISCONN_RSP:
3061 err = l2cap_disconnect_rsp(conn, &cmd, data);
3062 break;
3063
3064 case L2CAP_ECHO_REQ:
3065 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
3066 break;
3067
3068 case L2CAP_ECHO_RSP:
3069 break;
3070
3071 case L2CAP_INFO_REQ:
3072 err = l2cap_information_req(conn, &cmd, data);
3073 break;
3074
3075 case L2CAP_INFO_RSP:
3076 err = l2cap_information_rsp(conn, &cmd, data);
3077 break;
3078
3079 default:
3080 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3081 err = -EINVAL;
3082 break;
3083 }
3084
3085 if (err) {
3086 struct l2cap_cmd_rej rej;
3087 BT_DBG("error %d", err);
3088
3089 /* FIXME: Map err to a valid reason */
3090 rej.reason = cpu_to_le16(0);
3091 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3092 }
3093
3094 data += cmd_len;
3095 len -= cmd_len;
3096 }
3097
3098 kfree_skb(skb);
3099 }
3100
3101 static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3102 {
3103 u16 our_fcs, rcv_fcs;
3104 int hdr_size = L2CAP_HDR_SIZE + 2;
3105
3106 if (pi->fcs == L2CAP_FCS_CRC16) {
3107 skb_trim(skb, skb->len - 2);
3108 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3109 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3110
3111 if (our_fcs != rcv_fcs)
3112 return -EINVAL;
3113 }
3114 return 0;
3115 }
3116
3117 static void l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
3118 {
3119 struct sk_buff *next_skb;
3120
3121 bt_cb(skb)->tx_seq = tx_seq;
3122 bt_cb(skb)->sar = sar;
3123
3124 next_skb = skb_peek(SREJ_QUEUE(sk));
3125 if (!next_skb) {
3126 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3127 return;
3128 }
3129
3130 do {
3131 if (bt_cb(next_skb)->tx_seq > tx_seq) {
3132 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
3133 return;
3134 }
3135
3136 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3137 break;
3138
3139 } while((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
3140
3141 __skb_queue_tail(SREJ_QUEUE(sk), skb);
3142 }
3143
3144 static int l2cap_sar_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3145 {
3146 struct l2cap_pinfo *pi = l2cap_pi(sk);
3147 struct sk_buff *_skb;
3148 int err = -EINVAL;
3149
3150 switch (control & L2CAP_CTRL_SAR) {
3151 case L2CAP_SDU_UNSEGMENTED:
3152 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3153 kfree_skb(pi->sdu);
3154 break;
3155 }
3156
3157 err = sock_queue_rcv_skb(sk, skb);
3158 if (!err)
3159 return 0;
3160
3161 break;
3162
3163 case L2CAP_SDU_START:
3164 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3165 kfree_skb(pi->sdu);
3166 break;
3167 }
3168
3169 pi->sdu_len = get_unaligned_le16(skb->data);
3170 skb_pull(skb, 2);
3171
3172 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3173 if (!pi->sdu) {
3174 err = -ENOMEM;
3175 break;
3176 }
3177
3178 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3179
3180 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3181 pi->partial_sdu_len = skb->len;
3182 err = 0;
3183 break;
3184
3185 case L2CAP_SDU_CONTINUE:
3186 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3187 break;
3188
3189 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3190
3191 pi->partial_sdu_len += skb->len;
3192 if (pi->partial_sdu_len > pi->sdu_len)
3193 kfree_skb(pi->sdu);
3194 else
3195 err = 0;
3196
3197 break;
3198
3199 case L2CAP_SDU_END:
3200 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3201 break;
3202
3203 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3204
3205 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3206 pi->partial_sdu_len += skb->len;
3207
3208 if (pi->partial_sdu_len == pi->sdu_len) {
3209 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3210 err = sock_queue_rcv_skb(sk, _skb);
3211 if (err < 0)
3212 kfree_skb(_skb);
3213 }
3214 kfree_skb(pi->sdu);
3215 err = 0;
3216
3217 break;
3218 }
3219
3220 kfree_skb(skb);
3221 return err;
3222 }
3223
3224 static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3225 {
3226 struct sk_buff *skb;
3227 u16 control = 0;
3228
3229 while((skb = skb_peek(SREJ_QUEUE(sk)))) {
3230 if (bt_cb(skb)->tx_seq != tx_seq)
3231 break;
3232
3233 skb = skb_dequeue(SREJ_QUEUE(sk));
3234 control |= bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3235 l2cap_sar_reassembly_sdu(sk, skb, control);
3236 l2cap_pi(sk)->buffer_seq_srej =
3237 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
3238 tx_seq++;
3239 }
3240 }
3241
3242 static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3243 {
3244 struct l2cap_pinfo *pi = l2cap_pi(sk);
3245 struct srej_list *l, *tmp;
3246 u16 control;
3247
3248 list_for_each_entry_safe(l,tmp, SREJ_LIST(sk), list) {
3249 if (l->tx_seq == tx_seq) {
3250 list_del(&l->list);
3251 kfree(l);
3252 return;
3253 }
3254 control = L2CAP_SUPER_SELECT_REJECT;
3255 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3256 l2cap_send_sframe(pi, control);
3257 list_del(&l->list);
3258 list_add_tail(&l->list, SREJ_LIST(sk));
3259 }
3260 }
3261
3262 static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3263 {
3264 struct l2cap_pinfo *pi = l2cap_pi(sk);
3265 struct srej_list *new;
3266 u16 control;
3267
3268 while (tx_seq != pi->expected_tx_seq) {
3269 control = L2CAP_SUPER_SELECT_REJECT;
3270 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3271 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
3272 control |= L2CAP_CTRL_POLL;
3273 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
3274 }
3275 l2cap_send_sframe(pi, control);
3276
3277 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3278 new->tx_seq = pi->expected_tx_seq++;
3279 list_add_tail(&new->list, SREJ_LIST(sk));
3280 }
3281 pi->expected_tx_seq++;
3282 }
3283
3284 static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3285 {
3286 struct l2cap_pinfo *pi = l2cap_pi(sk);
3287 u8 tx_seq = __get_txseq(rx_control);
3288 u16 tx_control = 0;
3289 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3290 int err = 0;
3291
3292 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3293
3294 if (tx_seq == pi->expected_tx_seq)
3295 goto expected;
3296
3297 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3298 struct srej_list *first;
3299
3300 first = list_first_entry(SREJ_LIST(sk),
3301 struct srej_list, list);
3302 if (tx_seq == first->tx_seq) {
3303 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3304 l2cap_check_srej_gap(sk, tx_seq);
3305
3306 list_del(&first->list);
3307 kfree(first);
3308
3309 if (list_empty(SREJ_LIST(sk))) {
3310 pi->buffer_seq = pi->buffer_seq_srej;
3311 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
3312 }
3313 } else {
3314 struct srej_list *l;
3315 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3316
3317 list_for_each_entry(l, SREJ_LIST(sk), list) {
3318 if (l->tx_seq == tx_seq) {
3319 l2cap_resend_srejframe(sk, tx_seq);
3320 return 0;
3321 }
3322 }
3323 l2cap_send_srejframe(sk, tx_seq);
3324 }
3325 } else {
3326 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
3327
3328 INIT_LIST_HEAD(SREJ_LIST(sk));
3329 pi->buffer_seq_srej = pi->buffer_seq;
3330
3331 __skb_queue_head_init(SREJ_QUEUE(sk));
3332 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3333
3334 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3335
3336 l2cap_send_srejframe(sk, tx_seq);
3337 }
3338 return 0;
3339
3340 expected:
3341 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3342
3343 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3344 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3345 return 0;
3346 }
3347
3348 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3349
3350 err = l2cap_sar_reassembly_sdu(sk, skb, rx_control);
3351 if (err < 0)
3352 return err;
3353
3354 pi->num_to_ack = (pi->num_to_ack + 1) % L2CAP_DEFAULT_NUM_TO_ACK;
3355 if (pi->num_to_ack == L2CAP_DEFAULT_NUM_TO_ACK - 1) {
3356 tx_control |= L2CAP_SUPER_RCV_READY;
3357 tx_control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3358 l2cap_send_sframe(pi, tx_control);
3359 }
3360 return 0;
3361 }
3362
3363 static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3364 {
3365 struct l2cap_pinfo *pi = l2cap_pi(sk);
3366 u8 tx_seq = __get_reqseq(rx_control);
3367
3368 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
3369
3370 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3371 case L2CAP_SUPER_RCV_READY:
3372 if (rx_control & L2CAP_CTRL_POLL) {
3373 u16 control = L2CAP_CTRL_FINAL;
3374 control |= L2CAP_SUPER_RCV_READY |
3375 (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT);
3376 l2cap_send_sframe(l2cap_pi(sk), control);
3377 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3378
3379 } else if (rx_control & L2CAP_CTRL_FINAL) {
3380 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3381 pi->expected_ack_seq = tx_seq;
3382 l2cap_drop_acked_frames(sk);
3383
3384 if (!(pi->conn_state & L2CAP_CONN_WAIT_F))
3385 break;
3386
3387 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3388 del_timer(&pi->monitor_timer);
3389
3390 if (pi->unacked_frames > 0)
3391 __mod_retrans_timer();
3392 } else {
3393 pi->expected_ack_seq = tx_seq;
3394 l2cap_drop_acked_frames(sk);
3395
3396 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3397 && (pi->unacked_frames > 0))
3398 __mod_retrans_timer();
3399
3400 l2cap_ertm_send(sk);
3401 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3402 }
3403 break;
3404
3405 case L2CAP_SUPER_REJECT:
3406 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3407
3408 pi->expected_ack_seq = __get_reqseq(rx_control);
3409 l2cap_drop_acked_frames(sk);
3410
3411 sk->sk_send_head = TX_QUEUE(sk)->next;
3412 pi->next_tx_seq = pi->expected_ack_seq;
3413
3414 l2cap_ertm_send(sk);
3415
3416 break;
3417
3418 case L2CAP_SUPER_SELECT_REJECT:
3419 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3420
3421 if (rx_control & L2CAP_CTRL_POLL) {
3422 l2cap_retransmit_frame(sk, tx_seq);
3423 pi->expected_ack_seq = tx_seq;
3424 l2cap_drop_acked_frames(sk);
3425 l2cap_ertm_send(sk);
3426 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3427 pi->srej_save_reqseq = tx_seq;
3428 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3429 }
3430 } else if (rx_control & L2CAP_CTRL_FINAL) {
3431 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
3432 pi->srej_save_reqseq == tx_seq)
3433 pi->srej_save_reqseq &= ~L2CAP_CONN_SREJ_ACT;
3434 else
3435 l2cap_retransmit_frame(sk, tx_seq);
3436 }
3437 else {
3438 l2cap_retransmit_frame(sk, tx_seq);
3439 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
3440 pi->srej_save_reqseq = tx_seq;
3441 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
3442 }
3443 }
3444 break;
3445
3446 case L2CAP_SUPER_RCV_NOT_READY:
3447 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3448 pi->expected_ack_seq = tx_seq;
3449 l2cap_drop_acked_frames(sk);
3450
3451 del_timer(&l2cap_pi(sk)->retrans_timer);
3452 if (rx_control & L2CAP_CTRL_POLL) {
3453 u16 control = L2CAP_CTRL_FINAL;
3454 l2cap_send_rr_or_rnr(l2cap_pi(sk), control);
3455 }
3456 break;
3457 }
3458
3459 return 0;
3460 }
3461
3462 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3463 {
3464 struct sock *sk;
3465 struct l2cap_pinfo *pi;
3466 u16 control, len;
3467 u8 tx_seq;
3468 int err;
3469
3470 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3471 if (!sk) {
3472 BT_DBG("unknown cid 0x%4.4x", cid);
3473 goto drop;
3474 }
3475
3476 pi = l2cap_pi(sk);
3477
3478 BT_DBG("sk %p, len %d", sk, skb->len);
3479
3480 if (sk->sk_state != BT_CONNECTED)
3481 goto drop;
3482
3483 switch (pi->mode) {
3484 case L2CAP_MODE_BASIC:
3485 /* If socket recv buffers overflows we drop data here
3486 * which is *bad* because L2CAP has to be reliable.
3487 * But we don't have any other choice. L2CAP doesn't
3488 * provide flow control mechanism. */
3489
3490 if (pi->imtu < skb->len)
3491 goto drop;
3492
3493 if (!sock_queue_rcv_skb(sk, skb))
3494 goto done;
3495 break;
3496
3497 case L2CAP_MODE_ERTM:
3498 control = get_unaligned_le16(skb->data);
3499 skb_pull(skb, 2);
3500 len = skb->len;
3501
3502 if (__is_sar_start(control))
3503 len -= 2;
3504
3505 if (pi->fcs == L2CAP_FCS_CRC16)
3506 len -= 2;
3507
3508 /*
3509 * We can just drop the corrupted I-frame here.
3510 * Receiver will miss it and start proper recovery
3511 * procedures and ask retransmission.
3512 */
3513 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE)
3514 goto drop;
3515
3516 if (l2cap_check_fcs(pi, skb))
3517 goto drop;
3518
3519 if (__is_iframe(control))
3520 err = l2cap_data_channel_iframe(sk, control, skb);
3521 else
3522 err = l2cap_data_channel_sframe(sk, control, skb);
3523
3524 if (!err)
3525 goto done;
3526 break;
3527
3528 case L2CAP_MODE_STREAMING:
3529 control = get_unaligned_le16(skb->data);
3530 skb_pull(skb, 2);
3531 len = skb->len;
3532
3533 if (__is_sar_start(control))
3534 len -= 2;
3535
3536 if (pi->fcs == L2CAP_FCS_CRC16)
3537 len -= 2;
3538
3539 if (len > L2CAP_DEFAULT_MAX_PDU_SIZE || __is_sframe(control))
3540 goto drop;
3541
3542 if (l2cap_check_fcs(pi, skb))
3543 goto drop;
3544
3545 tx_seq = __get_txseq(control);
3546
3547 if (pi->expected_tx_seq == tx_seq)
3548 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3549 else
3550 pi->expected_tx_seq = tx_seq + 1;
3551
3552 err = l2cap_sar_reassembly_sdu(sk, skb, control);
3553
3554 goto done;
3555
3556 default:
3557 BT_DBG("sk %p: bad mode 0x%2.2x", sk, l2cap_pi(sk)->mode);
3558 break;
3559 }
3560
3561 drop:
3562 kfree_skb(skb);
3563
3564 done:
3565 if (sk)
3566 bh_unlock_sock(sk);
3567
3568 return 0;
3569 }
3570
3571 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3572 {
3573 struct sock *sk;
3574
3575 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
3576 if (!sk)
3577 goto drop;
3578
3579 BT_DBG("sk %p, len %d", sk, skb->len);
3580
3581 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
3582 goto drop;
3583
3584 if (l2cap_pi(sk)->imtu < skb->len)
3585 goto drop;
3586
3587 if (!sock_queue_rcv_skb(sk, skb))
3588 goto done;
3589
3590 drop:
3591 kfree_skb(skb);
3592
3593 done:
3594 if (sk)
3595 bh_unlock_sock(sk);
3596 return 0;
3597 }
3598
3599 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3600 {
3601 struct l2cap_hdr *lh = (void *) skb->data;
3602 u16 cid, len;
3603 __le16 psm;
3604
3605 skb_pull(skb, L2CAP_HDR_SIZE);
3606 cid = __le16_to_cpu(lh->cid);
3607 len = __le16_to_cpu(lh->len);
3608
3609 if (len != skb->len) {
3610 kfree_skb(skb);
3611 return;
3612 }
3613
3614 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3615
3616 switch (cid) {
3617 case L2CAP_CID_SIGNALING:
3618 l2cap_sig_channel(conn, skb);
3619 break;
3620
3621 case L2CAP_CID_CONN_LESS:
3622 psm = get_unaligned_le16(skb->data);
3623 skb_pull(skb, 2);
3624 l2cap_conless_channel(conn, psm, skb);
3625 break;
3626
3627 default:
3628 l2cap_data_channel(conn, cid, skb);
3629 break;
3630 }
3631 }
3632
3633 /* ---- L2CAP interface with lower layer (HCI) ---- */
3634
3635 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3636 {
3637 int exact = 0, lm1 = 0, lm2 = 0;
3638 register struct sock *sk;
3639 struct hlist_node *node;
3640
3641 if (type != ACL_LINK)
3642 return 0;
3643
3644 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3645
3646 /* Find listening sockets and check their link_mode */
3647 read_lock(&l2cap_sk_list.lock);
3648 sk_for_each(sk, node, &l2cap_sk_list.head) {
3649 if (sk->sk_state != BT_LISTEN)
3650 continue;
3651
3652 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3653 lm1 |= HCI_LM_ACCEPT;
3654 if (l2cap_pi(sk)->role_switch)
3655 lm1 |= HCI_LM_MASTER;
3656 exact++;
3657 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3658 lm2 |= HCI_LM_ACCEPT;
3659 if (l2cap_pi(sk)->role_switch)
3660 lm2 |= HCI_LM_MASTER;
3661 }
3662 }
3663 read_unlock(&l2cap_sk_list.lock);
3664
3665 return exact ? lm1 : lm2;
3666 }
3667
3668 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3669 {
3670 struct l2cap_conn *conn;
3671
3672 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3673
3674 if (hcon->type != ACL_LINK)
3675 return 0;
3676
3677 if (!status) {
3678 conn = l2cap_conn_add(hcon, status);
3679 if (conn)
3680 l2cap_conn_ready(conn);
3681 } else
3682 l2cap_conn_del(hcon, bt_err(status));
3683
3684 return 0;
3685 }
3686
3687 static int l2cap_disconn_ind(struct hci_conn *hcon)
3688 {
3689 struct l2cap_conn *conn = hcon->l2cap_data;
3690
3691 BT_DBG("hcon %p", hcon);
3692
3693 if (hcon->type != ACL_LINK || !conn)
3694 return 0x13;
3695
3696 return conn->disc_reason;
3697 }
3698
3699 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3700 {
3701 BT_DBG("hcon %p reason %d", hcon, reason);
3702
3703 if (hcon->type != ACL_LINK)
3704 return 0;
3705
3706 l2cap_conn_del(hcon, bt_err(reason));
3707
3708 return 0;
3709 }
3710
3711 static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
3712 {
3713 if (sk->sk_type != SOCK_SEQPACKET)
3714 return;
3715
3716 if (encrypt == 0x00) {
3717 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
3718 l2cap_sock_clear_timer(sk);
3719 l2cap_sock_set_timer(sk, HZ * 5);
3720 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
3721 __l2cap_sock_close(sk, ECONNREFUSED);
3722 } else {
3723 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
3724 l2cap_sock_clear_timer(sk);
3725 }
3726 }
3727
3728 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
3729 {
3730 struct l2cap_chan_list *l;
3731 struct l2cap_conn *conn = hcon->l2cap_data;
3732 struct sock *sk;
3733
3734 if (!conn)
3735 return 0;
3736
3737 l = &conn->chan_list;
3738
3739 BT_DBG("conn %p", conn);
3740
3741 read_lock(&l->lock);
3742
3743 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
3744 bh_lock_sock(sk);
3745
3746 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
3747 bh_unlock_sock(sk);
3748 continue;
3749 }
3750
3751 if (!status && (sk->sk_state == BT_CONNECTED ||
3752 sk->sk_state == BT_CONFIG)) {
3753 l2cap_check_encryption(sk, encrypt);
3754 bh_unlock_sock(sk);
3755 continue;
3756 }
3757
3758 if (sk->sk_state == BT_CONNECT) {
3759 if (!status) {
3760 struct l2cap_conn_req req;
3761 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
3762 req.psm = l2cap_pi(sk)->psm;
3763
3764 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
3765
3766 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3767 L2CAP_CONN_REQ, sizeof(req), &req);
3768 } else {
3769 l2cap_sock_clear_timer(sk);
3770 l2cap_sock_set_timer(sk, HZ / 10);
3771 }
3772 } else if (sk->sk_state == BT_CONNECT2) {
3773 struct l2cap_conn_rsp rsp;
3774 __u16 result;
3775
3776 if (!status) {
3777 sk->sk_state = BT_CONFIG;
3778 result = L2CAP_CR_SUCCESS;
3779 } else {
3780 sk->sk_state = BT_DISCONN;
3781 l2cap_sock_set_timer(sk, HZ / 10);
3782 result = L2CAP_CR_SEC_BLOCK;
3783 }
3784
3785 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
3786 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3787 rsp.result = cpu_to_le16(result);
3788 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3789 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
3790 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3791 }
3792
3793 bh_unlock_sock(sk);
3794 }
3795
3796 read_unlock(&l->lock);
3797
3798 return 0;
3799 }
3800
3801 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
3802 {
3803 struct l2cap_conn *conn = hcon->l2cap_data;
3804
3805 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
3806 goto drop;
3807
3808 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
3809
3810 if (flags & ACL_START) {
3811 struct l2cap_hdr *hdr;
3812 int len;
3813
3814 if (conn->rx_len) {
3815 BT_ERR("Unexpected start frame (len %d)", skb->len);
3816 kfree_skb(conn->rx_skb);
3817 conn->rx_skb = NULL;
3818 conn->rx_len = 0;
3819 l2cap_conn_unreliable(conn, ECOMM);
3820 }
3821
3822 if (skb->len < 2) {
3823 BT_ERR("Frame is too short (len %d)", skb->len);
3824 l2cap_conn_unreliable(conn, ECOMM);
3825 goto drop;
3826 }
3827
3828 hdr = (struct l2cap_hdr *) skb->data;
3829 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
3830
3831 if (len == skb->len) {
3832 /* Complete frame received */
3833 l2cap_recv_frame(conn, skb);
3834 return 0;
3835 }
3836
3837 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
3838
3839 if (skb->len > len) {
3840 BT_ERR("Frame is too long (len %d, expected len %d)",
3841 skb->len, len);
3842 l2cap_conn_unreliable(conn, ECOMM);
3843 goto drop;
3844 }
3845
3846 /* Allocate skb for the complete frame (with header) */
3847 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
3848 if (!conn->rx_skb)
3849 goto drop;
3850
3851 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3852 skb->len);
3853 conn->rx_len = len - skb->len;
3854 } else {
3855 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
3856
3857 if (!conn->rx_len) {
3858 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
3859 l2cap_conn_unreliable(conn, ECOMM);
3860 goto drop;
3861 }
3862
3863 if (skb->len > conn->rx_len) {
3864 BT_ERR("Fragment is too long (len %d, expected %d)",
3865 skb->len, conn->rx_len);
3866 kfree_skb(conn->rx_skb);
3867 conn->rx_skb = NULL;
3868 conn->rx_len = 0;
3869 l2cap_conn_unreliable(conn, ECOMM);
3870 goto drop;
3871 }
3872
3873 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
3874 skb->len);
3875 conn->rx_len -= skb->len;
3876
3877 if (!conn->rx_len) {
3878 /* Complete frame received */
3879 l2cap_recv_frame(conn, conn->rx_skb);
3880 conn->rx_skb = NULL;
3881 }
3882 }
3883
3884 drop:
3885 kfree_skb(skb);
3886 return 0;
3887 }
3888
3889 static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
3890 {
3891 struct sock *sk;
3892 struct hlist_node *node;
3893 char *str = buf;
3894 int size = PAGE_SIZE;
3895
3896 read_lock_bh(&l2cap_sk_list.lock);
3897
3898 sk_for_each(sk, node, &l2cap_sk_list.head) {
3899 struct l2cap_pinfo *pi = l2cap_pi(sk);
3900 int len;
3901
3902 len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
3903 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
3904 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
3905 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
3906
3907 size -= len;
3908 if (size <= 0)
3909 break;
3910
3911 str += len;
3912 }
3913
3914 read_unlock_bh(&l2cap_sk_list.lock);
3915
3916 return str - buf;
3917 }
3918
3919 static CLASS_ATTR(l2cap, S_IRUGO, l2cap_sysfs_show, NULL);
3920
3921 static const struct proto_ops l2cap_sock_ops = {
3922 .family = PF_BLUETOOTH,
3923 .owner = THIS_MODULE,
3924 .release = l2cap_sock_release,
3925 .bind = l2cap_sock_bind,
3926 .connect = l2cap_sock_connect,
3927 .listen = l2cap_sock_listen,
3928 .accept = l2cap_sock_accept,
3929 .getname = l2cap_sock_getname,
3930 .sendmsg = l2cap_sock_sendmsg,
3931 .recvmsg = l2cap_sock_recvmsg,
3932 .poll = bt_sock_poll,
3933 .ioctl = bt_sock_ioctl,
3934 .mmap = sock_no_mmap,
3935 .socketpair = sock_no_socketpair,
3936 .shutdown = l2cap_sock_shutdown,
3937 .setsockopt = l2cap_sock_setsockopt,
3938 .getsockopt = l2cap_sock_getsockopt
3939 };
3940
3941 static struct net_proto_family l2cap_sock_family_ops = {
3942 .family = PF_BLUETOOTH,
3943 .owner = THIS_MODULE,
3944 .create = l2cap_sock_create,
3945 };
3946
3947 static struct hci_proto l2cap_hci_proto = {
3948 .name = "L2CAP",
3949 .id = HCI_PROTO_L2CAP,
3950 .connect_ind = l2cap_connect_ind,
3951 .connect_cfm = l2cap_connect_cfm,
3952 .disconn_ind = l2cap_disconn_ind,
3953 .disconn_cfm = l2cap_disconn_cfm,
3954 .security_cfm = l2cap_security_cfm,
3955 .recv_acldata = l2cap_recv_acldata
3956 };
3957
3958 static int __init l2cap_init(void)
3959 {
3960 int err;
3961
3962 err = proto_register(&l2cap_proto, 0);
3963 if (err < 0)
3964 return err;
3965
3966 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
3967 if (err < 0) {
3968 BT_ERR("L2CAP socket registration failed");
3969 goto error;
3970 }
3971
3972 err = hci_register_proto(&l2cap_hci_proto);
3973 if (err < 0) {
3974 BT_ERR("L2CAP protocol registration failed");
3975 bt_sock_unregister(BTPROTO_L2CAP);
3976 goto error;
3977 }
3978
3979 if (class_create_file(bt_class, &class_attr_l2cap) < 0)
3980 BT_ERR("Failed to create L2CAP info file");
3981
3982 BT_INFO("L2CAP ver %s", VERSION);
3983 BT_INFO("L2CAP socket layer initialized");
3984
3985 return 0;
3986
3987 error:
3988 proto_unregister(&l2cap_proto);
3989 return err;
3990 }
3991
3992 static void __exit l2cap_exit(void)
3993 {
3994 class_remove_file(bt_class, &class_attr_l2cap);
3995
3996 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
3997 BT_ERR("L2CAP socket unregistration failed");
3998
3999 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4000 BT_ERR("L2CAP protocol unregistration failed");
4001
4002 proto_unregister(&l2cap_proto);
4003 }
4004
4005 void l2cap_load(void)
4006 {
4007 /* Dummy function to trigger automatic L2CAP module loading by
4008 * other modules that use L2CAP sockets but don't use any other
4009 * symbols from it. */
4010 return;
4011 }
4012 EXPORT_SYMBOL(l2cap_load);
4013
4014 module_init(l2cap_init);
4015 module_exit(l2cap_exit);
4016
4017 module_param(enable_ertm, bool, 0644);
4018 MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4019
4020 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4021 MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4022 MODULE_VERSION(VERSION);
4023 MODULE_LICENSE("GPL");
4024 MODULE_ALIAS("bt-proto-0");
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree